diff options
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/base_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/ci/build_policy.rb | 16 | ||||
| -rw-r--r-- | app/policies/ci/pipeline_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/ci/pipeline_schedule_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/ci/runner_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/environment_policy.rb | 14 | ||||
| -rw-r--r-- | app/policies/global_policy.rb | 1 | ||||
| -rw-r--r-- | app/policies/group_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/personal_snippet_policy.rb | 6 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 58 | ||||
| -rw-r--r-- | app/policies/project_snippet_policy.rb | 2 |
11 files changed, 90 insertions, 27 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 8890409d056..623424c63e0 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -97,6 +97,10 @@ class BasePolicy rules end + def rules + raise NotImplementedError + end + def delegate!(new_subject) @rule_set.merge(Ability.allowed(@user, new_subject)) end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 8b25332b73c..d4af4490608 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,5 +1,7 @@ module Ci class BuildPolicy < CommitStatusPolicy + alias_method :build, :subject + def rules super @@ -8,6 +10,20 @@ module Ci %w[read create update admin].each do |rule| cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" end + + if can?(:update_build) && protected_action? + cannot! :update_build + end + end + + private + + def protected_action? + return false unless build.action? + + !::Gitlab::UserAccess + .new(user, project: build.project) + .can_push_to_branch?(build.ref) end end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index 3d2eef1c50c..10aa2d3e72a 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -1,4 +1,7 @@ module Ci - class PipelinePolicy < BuildPolicy + class PipelinePolicy < BasePolicy + def rules + delegate! @subject.project + end end end diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb new file mode 100644 index 00000000000..1877e89bb23 --- /dev/null +++ b/app/policies/ci/pipeline_schedule_policy.rb @@ -0,0 +1,4 @@ +module Ci + class PipelineSchedulePolicy < PipelinePolicy + end +end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 7edd383530d..416d93ffe63 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -3,7 +3,7 @@ module Ci def rules return unless @user - can! :assign_runner if @user.is_admin? + can! :assign_runner if @user.admin? return if @subject.is_shared? || @subject.locked? diff --git a/app/policies/environment_policy.rb b/app/policies/environment_policy.rb index f4219569161..2fa15e64562 100644 --- a/app/policies/environment_policy.rb +++ b/app/policies/environment_policy.rb @@ -1,5 +1,17 @@ class EnvironmentPolicy < BasePolicy + alias_method :environment, :subject + def rules - delegate! @subject.project + delegate! environment.project + + if can?(:create_deployment) && environment.stop_action? + can! :stop_environment if can_play_stop_action? + end + end + + private + + def can_play_stop_action? + Ability.allowed?(user, :update_build, environment.stop_action) end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index cb72c2b4590..4757ba71680 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -10,6 +10,7 @@ class GlobalPolicy < BasePolicy can! :access_api can! :access_git can! :receive_notifications + can! :use_slash_commands end end end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 4cc21696eb6..87398303c68 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -12,7 +12,7 @@ class GroupPolicy < BasePolicy can_read ||= globally_viewable can_read ||= member can_read ||= @user.admin? - can_read ||= GroupProjectsFinder.new(@subject).execute(@user).any? + can_read ||= GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any? can! :read_group if can_read # Only group masters and group owners can create new projects @@ -28,6 +28,7 @@ class GroupPolicy < BasePolicy can! :admin_namespace can! :admin_group_member can! :change_visibility_level + can! :create_subgroup if @user.can_create_group end if globally_viewable && @subject.request_access_enabled && !member @@ -41,6 +42,6 @@ class GroupPolicy < BasePolicy return true if @subject.internal? && !@user.external? return true if @subject.users.include?(@user) - GroupProjectsFinder.new(@subject).execute(@user).any? + GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any? end end diff --git a/app/policies/personal_snippet_policy.rb b/app/policies/personal_snippet_policy.rb index d3913986cd8..e1e5336da8c 100644 --- a/app/policies/personal_snippet_policy.rb +++ b/app/policies/personal_snippet_policy.rb @@ -3,11 +3,16 @@ class PersonalSnippetPolicy < BasePolicy can! :read_personal_snippet if @subject.public? return unless @user + if @subject.public? + can! :comment_personal_snippet + end + if @subject.author == @user can! :read_personal_snippet can! :update_personal_snippet can! :destroy_personal_snippet can! :admin_personal_snippet + can! :comment_personal_snippet end unless @user.external? @@ -16,6 +21,7 @@ class PersonalSnippetPolicy < BasePolicy if @subject.internal? && !@user.external? can! :read_personal_snippet + can! :comment_personal_snippet end end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f8594e29547..3959b895f44 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -2,20 +2,13 @@ class ProjectPolicy < BasePolicy def rules team_access!(user) - owner = project.owner == user || - (project.group && project.group.has_owner?(user)) - - owner_access! if user.admin? || owner - team_member_owner_access! if owner + owner_access! if user.admin? || owner? + team_member_owner_access! if owner? if project.public? || (project.internal? && !user.external?) guest_access! public_access! - - if project.request_access_enabled && - !(owner || user.admin? || project.team.member?(user) || project_group_member?(user)) - can! :request_access - end + can! :request_access if access_requestable? end archived_access! if project.archived? @@ -27,6 +20,13 @@ class ProjectPolicy < BasePolicy @subject end + def owner? + return @owner if defined?(@owner) + + @owner = project.owner == user || + (project.group && project.group.has_owner?(user)) + end + def guest_access! can! :read_project can! :read_board @@ -46,6 +46,7 @@ class ProjectPolicy < BasePolicy if project.public_builds? can! :read_pipeline + can! :read_pipeline_schedule can! :read_build end end @@ -63,6 +64,7 @@ class ProjectPolicy < BasePolicy can! :read_build can! :read_container_image can! :read_pipeline + can! :read_pipeline_schedule can! :read_environment can! :read_deployment can! :read_merge_request @@ -83,6 +85,8 @@ class ProjectPolicy < BasePolicy can! :update_build can! :create_pipeline can! :update_pipeline + can! :create_pipeline_schedule + can! :update_pipeline_schedule can! :create_merge_request can! :create_wiki can! :push_code @@ -94,7 +98,7 @@ class ProjectPolicy < BasePolicy end def master_access! - can! :push_code_to_protected_branches + can! :delete_protected_branch can! :update_project_snippet can! :update_environment can! :update_deployment @@ -108,6 +112,7 @@ class ProjectPolicy < BasePolicy can! :admin_build can! :admin_container_image can! :admin_pipeline + can! :admin_pipeline_schedule can! :admin_environment can! :admin_deployment can! :admin_pages @@ -120,6 +125,7 @@ class ProjectPolicy < BasePolicy can! :fork_project can! :read_commit_status can! :read_pipeline + can! :read_pipeline_schedule can! :read_container_image can! :build_download_code can! :build_read_container_image @@ -167,7 +173,7 @@ class ProjectPolicy < BasePolicy def archived_access! cannot! :create_merge_request cannot! :push_code - cannot! :push_code_to_protected_branches + cannot! :delete_protected_branch cannot! :update_merge_request cannot! :admin_merge_request end @@ -198,13 +204,14 @@ class ProjectPolicy < BasePolicy unless project.feature_available?(:builds, user) && repository_enabled cannot!(*named_abilities(:build)) cannot!(*named_abilities(:pipeline)) + cannot!(*named_abilities(:pipeline_schedule)) cannot!(*named_abilities(:environment)) cannot!(*named_abilities(:deployment)) end unless repository_enabled cannot! :push_code - cannot! :push_code_to_protected_branches + cannot! :delete_protected_branch cannot! :download_code cannot! :fork_project cannot! :read_commit_status @@ -226,14 +233,6 @@ class ProjectPolicy < BasePolicy disabled_features! end - def project_group_member?(user) - project.group && - ( - project.group.members_with_parents.exists?(user_id: user.id) || - project.group.requesters.exists?(user_id: user.id) - ) - end - def block_issues_abilities unless project.feature_available?(:issues, user) cannot! :read_issue if project.default_issues_tracker? @@ -254,6 +253,22 @@ class ProjectPolicy < BasePolicy private + def project_group_member?(user) + project.group && + ( + project.group.members_with_parents.exists?(user_id: user.id) || + project.group.requesters.exists?(user_id: user.id) + ) + end + + def access_requestable? + project.request_access_enabled && + !owner? && + !user.admin? && + !project.team.member?(user) && + !project_group_member?(user) + end + # A base set of abilities for read-only users, which # is then augmented as necessary for anonymous and other # read-only users. @@ -269,6 +284,7 @@ class ProjectPolicy < BasePolicy can! :read_merge_request can! :read_note can! :read_pipeline + can! :read_pipeline_schedule can! :read_commit_status can! :read_container_image can! :download_code diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 3a96836917e..cf8ff92617f 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -13,7 +13,7 @@ class ProjectSnippetPolicy < BasePolicy can! :read_project_snippet end - if @subject.private? && @subject.project.team.member?(@user) + if @subject.project.team.member?(@user) can! :read_project_snippet end end |