summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/base_policy.rb2
-rw-r--r--app/policies/group_member_policy.rb2
-rw-r--r--app/policies/group_policy.rb20
-rw-r--r--app/policies/note_policy.rb2
-rw-r--r--app/policies/packages/conan/file_metadatum_policy.rb8
-rw-r--r--app/policies/packages/conan/metadatum_policy.rb8
-rw-r--r--app/policies/packages/package_file_policy.rb6
-rw-r--r--app/policies/project_policy.rb27
-rw-r--r--app/policies/timelog_policy.rb5
9 files changed, 68 insertions, 12 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index e32a889c906..1c19751cf0d 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -6,7 +6,7 @@ class BasePolicy < DeclarativePolicy::Base
desc "User is an instance admin"
with_options scope: :user, score: 0
condition(:admin) do
- if Feature.enabled?(:user_mode_in_session)
+ if Gitlab::CurrentSettings.admin_mode
Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
else
@user&.admin?
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index 1dd650c8a90..8a4cae232a0 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -4,7 +4,7 @@ class GroupMemberPolicy < BasePolicy
delegate :group
with_scope :subject
- condition(:last_owner) { @subject.group.last_owner?(@subject.user) || @subject.group.last_blocked_owner?(@subject.user) }
+ condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) }
desc "Membership is users' own"
with_score 0
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 53286cf1fdf..fc24525ade7 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -61,7 +61,8 @@ class GroupPolicy < BasePolicy
end
with_scope :subject
- condition(:resource_access_token_available) { resource_access_token_available? }
+ condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+ condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
with_scope :subject
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
@@ -130,6 +131,7 @@ class GroupPolicy < BasePolicy
enable :read_prometheus
enable :read_package
enable :read_package_settings
+ enable :read_group_timelogs
end
rule { maintainer }.policy do
@@ -212,8 +214,14 @@ class GroupPolicy < BasePolicy
rule { developer & dependency_proxy_available }
.enable :admin_dependency_proxy
- rule { resource_access_token_available & can?(:admin_group) }.policy do
- enable :admin_resource_access_tokens
+ rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
+ enable :read_resource_access_tokens
+ enable :destroy_resource_access_tokens
+ enable :admin_setting_to_allow_project_access_token_creation
+ end
+
+ rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
+ enable :create_resource_access_tokens
end
rule { support_bot & has_project_with_service_desk_enabled }.policy do
@@ -241,9 +249,13 @@ class GroupPolicy < BasePolicy
@subject
end
- def resource_access_token_available?
+ def resource_access_token_feature_available?
true
end
+
+ def resource_access_token_creation_allowed?
+ resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
+ end
end
GroupPolicy.prepend_if_ee('EE::GroupPolicy')
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 38f0f165376..d9ea7c38f11 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -76,7 +76,7 @@ class NotePolicy < BasePolicy
def parent_namespace
strong_memoize(:parent_namespace) do
next if @subject.is_a?(PersonalSnippet)
- next @subject.noteable.group if @subject.noteable&.is_a?(Epic)
+ next @subject.noteable.group if @subject.noteable.is_a?(Epic)
@subject.project
end
diff --git a/app/policies/packages/conan/file_metadatum_policy.rb b/app/policies/packages/conan/file_metadatum_policy.rb
new file mode 100644
index 00000000000..ac1ffb3ea93
--- /dev/null
+++ b/app/policies/packages/conan/file_metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+ module Conan
+ class FileMetadatumPolicy < BasePolicy
+ delegate { @subject.package_file.package }
+ end
+ end
+end
diff --git a/app/policies/packages/conan/metadatum_policy.rb b/app/policies/packages/conan/metadatum_policy.rb
new file mode 100644
index 00000000000..8622da015c6
--- /dev/null
+++ b/app/policies/packages/conan/metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+ module Conan
+ class MetadatumPolicy < BasePolicy
+ delegate { @subject.package }
+ end
+ end
+end
diff --git a/app/policies/packages/package_file_policy.rb b/app/policies/packages/package_file_policy.rb
new file mode 100644
index 00000000000..e98f74204e8
--- /dev/null
+++ b/app/policies/packages/package_file_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module Packages
+ class PackageFilePolicy < BasePolicy
+ delegate { @subject.package }
+ end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index de80f2f72b8..c577c8c8471 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy
condition(:service_desk_enabled) { @subject.service_desk_enabled? }
with_scope :subject
- condition(:resource_access_token_available) { resource_access_token_available? }
+ condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+ condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
# We aren't checking `:read_issue` or `:read_merge_request` in this case
# because it could be possible for a user to see an issuable-iid
@@ -259,6 +260,7 @@ class ProjectPolicy < BasePolicy
enable :read_confidential_issues
enable :read_package
enable :read_product_analytics
+ enable :read_group_timelogs
end
# We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -631,11 +633,18 @@ class ProjectPolicy < BasePolicy
rule { project_bot }.enable :project_bot_access
- rule { resource_access_token_available & can?(:admin_project) }.policy do
- enable :admin_resource_access_tokens
+ rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
+ enable :read_resource_access_tokens
+ enable :destroy_resource_access_tokens
end
- rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens
+ rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do
+ enable :create_resource_access_tokens
+ end
+
+ rule { can?(:project_bot_access) }.policy do
+ prevent :create_resource_access_tokens
+ end
rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
enable :set_pipeline_variables
@@ -719,10 +728,18 @@ class ProjectPolicy < BasePolicy
end
end
- def resource_access_token_available?
+ def resource_access_token_feature_available?
true
end
+ def resource_access_token_creation_allowed?
+ group = project.group
+
+ return true unless group # always enable for projects in personal namespaces
+
+ resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
+ end
+
def project
@subject
end
diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb
new file mode 100644
index 00000000000..0598817d4e0
--- /dev/null
+++ b/app/policies/timelog_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class TimelogPolicy < BasePolicy
+ delegate { @subject.issuable.resource_parent }
+end
View Lorry Controller Status