diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/concerns/policy_actor.rb | 4 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/issue_policy.rb | 12 | ||||
-rw-r--r-- | app/policies/merge_request_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/packages/pypi/metadatum_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 17 | ||||
-rw-r--r-- | app/policies/timelog_policy.rb | 2 |
8 files changed, 47 insertions, 5 deletions
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index 08a26da6673..cbc34bdeed3 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -84,6 +84,10 @@ module PolicyActor def password_expired? false end + + def from_ci_job_token? + false + end end PolicyActor.prepend_mod_with('PolicyActor') diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 73757891cd6..35d38bac7fa 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -115,6 +115,7 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement + enable :update_runners_registration_token end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 821fabec266..ba06b98e906 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -131,7 +131,6 @@ class GroupPolicy < BasePolicy enable :read_prometheus enable :read_package enable :read_package_settings - enable :read_group_timelogs end rule { maintainer }.policy do @@ -145,6 +144,7 @@ class GroupPolicy < BasePolicy enable :admin_cluster enable :read_deploy_token enable :create_jira_connect_subscription + enable :update_runners_registration_token end rule { owner }.policy do @@ -155,6 +155,7 @@ class GroupPolicy < BasePolicy enable :set_note_created_at enable :set_emails_disabled + enable :change_prevent_sharing_groups_outside_hierarchy enable :update_default_branch_protection enable :create_deploy_token enable :destroy_deploy_token diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 6eec03d6d75..e58179e320d 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy desc "Issue is confidential" condition(:confidential, scope: :subject) { @subject.confidential? } + desc "Issue is persisted" + condition(:persisted, scope: :subject) { @subject.persisted? } + rule { confidential & ~can_read_confidential }.policy do prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid @@ -38,6 +41,15 @@ class IssuePolicy < IssuablePolicy rule { ~anonymous & can?(:read_issue) }.policy do enable :create_todo + enable :update_subscription + end + + rule { ~persisted & can?(:guest_access) }.policy do + enable :set_issue_metadata + end + + rule { persisted & can?(:admin_issue) }.policy do + enable :set_issue_metadata end end diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index e53a916f3ca..96002d98afe 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -20,6 +20,7 @@ class MergeRequestPolicy < IssuablePolicy rule { ~anonymous & can?(:read_merge_request) }.policy do enable :create_todo + enable :update_subscription end condition(:can_merge) { @subject.can_be_merged_by?(@user) } @@ -27,6 +28,10 @@ class MergeRequestPolicy < IssuablePolicy rule { can_merge }.policy do enable :accept_merge_request end + + rule { can?(:admin_merge_request) }.policy do + enable :set_merge_request_metadata + end end MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy') diff --git a/app/policies/packages/pypi/metadatum_policy.rb b/app/policies/packages/pypi/metadatum_policy.rb new file mode 100644 index 00000000000..5cdcb613f61 --- /dev/null +++ b/app/policies/packages/pypi/metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Pypi + class MetadatumPolicy < BasePolicy + delegate { @subject.package } + end + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 1ce19511bef..e93c60c3710 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -51,7 +51,11 @@ class ProjectPolicy < BasePolicy desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do - !project.container_registry_enabled + if ::Feature.enabled?(:read_container_registry_access_level, @subject&.namespace, default_enabled: :yaml) + !access_allowed_to?(:container_registry) + else + !project.container_registry_enabled + end end desc "Project has an external wiki" @@ -75,6 +79,11 @@ class ProjectPolicy < BasePolicy user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_package_registry end + desc "If user is authenticated via CI job token then the target project should be in scope" + condition(:project_allowed_for_job_token) do + !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project) + end + with_scope :subject condition(:forking_allowed) do @subject.feature_available?(:forking, @user) @@ -238,6 +247,7 @@ class ProjectPolicy < BasePolicy enable :admin_issue_board enable :download_code enable :read_statistics + enable :daily_statistics enable :download_wiki_code enable :create_snippet enable :update_issue @@ -263,7 +273,6 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics - enable :read_group_timelogs end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -347,7 +356,6 @@ class ProjectPolicy < BasePolicy enable :update_deployment enable :create_release enable :update_release - enable :daily_statistics enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation @@ -411,6 +419,7 @@ class ProjectPolicy < BasePolicy enable :update_freeze_period enable :destroy_freeze_period enable :admin_feature_flags_client + enable :update_runners_registration_token end rule { public_project & metrics_dashboard_allowed }.policy do @@ -509,6 +518,8 @@ class ProjectPolicy < BasePolicy enable :read_project_for_iids end + rule { ~project_allowed_for_job_token }.prevent_all + rule { can?(:public_access) }.policy do enable :read_package enable :read_project diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb index 0598817d4e0..f71c4204639 100644 --- a/app/policies/timelog_policy.rb +++ b/app/policies/timelog_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true class TimelogPolicy < BasePolicy - delegate { @subject.issuable.resource_parent } + delegate { @subject.issuable } end |