summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/analytics/usage_trends/measurement_policy.rb (renamed from app/policies/analytics/instance_statistics/measurement_policy.rb)2
-rw-r--r--app/policies/base_policy.rb11
-rw-r--r--app/policies/concerns/readonly_abilities.rb2
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--app/policies/group_member_policy.rb2
-rw-r--r--app/policies/group_policy.rb8
-rw-r--r--app/policies/merge_request_policy.rb11
-rw-r--r--app/policies/note_policy.rb4
-rw-r--r--app/policies/project_policy.rb25
9 files changed, 44 insertions, 23 deletions
diff --git a/app/policies/analytics/instance_statistics/measurement_policy.rb b/app/policies/analytics/usage_trends/measurement_policy.rb
index 3d6a5a08ff6..da3c0927ea5 100644
--- a/app/policies/analytics/instance_statistics/measurement_policy.rb
+++ b/app/policies/analytics/usage_trends/measurement_policy.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
module Analytics
- module InstanceStatistics
+ module UsageTrends
class MeasurementPolicy < BasePolicy
delegate { :global }
end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 51694ec7c50..e32a889c906 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
prevent :read_cross_project
end
- # Policy extended in EE to also enable auditors
- rule { admin }.enable :read_all_resources
+ rule { admin }.policy do
+ # Only for actual administrator accounts, behaviour affected by admin mode application setting
+ enable :admin_all_resources
+ # Policy extended in EE to also enable auditors
+ enable :read_all_resources
+ enable :change_repository_storage
+ end
rule { default }.enable :read_cross_project
condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
-
- rule { admin }.enable :change_repository_storage
end
BasePolicy.prepend_if_ee('EE::BasePolicy')
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb
index a267e963541..0303d4cff14 100644
--- a/app/policies/concerns/readonly_abilities.rb
+++ b/app/policies/concerns/readonly_abilities.rb
@@ -17,7 +17,7 @@ module ReadonlyAbilities
READONLY_FEATURES = %i[
issue
- list
+ issue_board_list
merge_request
label
milestone
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 9c79a797a6a..5ee34ebbb2f 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -100,7 +100,7 @@ class GlobalPolicy < BasePolicy
enable :update_custom_attribute
enable :approve_user
enable :reject_user
- enable :read_instance_statistics_measurements
+ enable :read_usage_trends_measurement
end
# We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index 09cac96e3a5..1dd650c8a90 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -4,7 +4,7 @@ class GroupMemberPolicy < BasePolicy
delegate :group
with_scope :subject
- condition(:last_owner) { @subject.group.last_owner?(@subject.user) }
+ condition(:last_owner) { @subject.group.last_owner?(@subject.user) || @subject.group.last_blocked_owner?(@subject.user) }
desc "Membership is users' own"
with_score 0
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7dd88fcc1ff..53286cf1fdf 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -97,9 +97,9 @@ class GroupPolicy < BasePolicy
rule { can?(:read_group) }.policy do
enable :read_milestone
- enable :read_list
+ enable :read_issue_board_list
enable :read_label
- enable :read_board
+ enable :read_issue_board
enable :read_group_member
enable :read_custom_emoji
end
@@ -122,9 +122,9 @@ class GroupPolicy < BasePolicy
rule { reporter }.policy do
enable :reporter_access
enable :read_container_image
- enable :admin_board
+ enable :admin_issue_board
enable :admin_label
- enable :admin_list
+ enable :admin_issue_board_list
enable :admin_issue
enable :read_metrics_dashboard_annotation
enable :read_prometheus
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index d5ba42d750c..e3fb54172f8 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -9,7 +9,10 @@ class MergeRequestPolicy < IssuablePolicy
# Although :read_merge_request is computed in the policy context,
# it would not be safe to prevent :create_note there, since
# note permissions are shared, and this would apply too broadly.
- rule { ~can?(:read_merge_request) }.prevent :create_note
+ rule { ~can?(:read_merge_request) }.policy do
+ prevent :create_note
+ prevent :accept_merge_request
+ end
rule { can?(:update_merge_request) }.policy do
enable :approve_merge_request
@@ -18,6 +21,12 @@ class MergeRequestPolicy < IssuablePolicy
rule { ~anonymous & can?(:read_merge_request) }.policy do
enable :create_todo
end
+
+ condition(:can_merge) { @subject.can_be_merged_by?(@user) }
+
+ rule { can_merge }.policy do
+ enable :accept_merge_request
+ end
end
MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy')
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 2bf6b6c3161..38f0f165376 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -57,6 +57,10 @@ class NotePolicy < BasePolicy
enable :resolve_note
end
+ rule { can_read_confidential }.policy do
+ enable :mark_note_as_confidential
+ end
+
rule { confidential & ~can_read_confidential }.policy do
prevent :read_note
prevent :admin_note
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index aaf985d6c63..de80f2f72b8 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -156,6 +156,7 @@ class ProjectPolicy < BasePolicy
metrics_dashboard
analytics
operations
+ security_and_compliance
]
features.each do |f|
@@ -203,8 +204,8 @@ class ProjectPolicy < BasePolicy
rule { can?(:guest_access) }.policy do
enable :read_project
enable :create_merge_request_in
- enable :read_board
- enable :read_list
+ enable :read_issue_board
+ enable :read_issue_board_list
enable :read_wiki
enable :read_issue
enable :read_label
@@ -230,7 +231,7 @@ class ProjectPolicy < BasePolicy
rule { guest & can?(:read_container_image) }.enable :build_read_container_image
rule { can?(:reporter_access) }.policy do
- enable :admin_board
+ enable :admin_issue_board
enable :download_code
enable :read_statistics
enable :download_wiki_code
@@ -239,7 +240,7 @@ class ProjectPolicy < BasePolicy
enable :reopen_issue
enable :admin_issue
enable :admin_label
- enable :admin_list
+ enable :admin_issue_board_list
enable :admin_issue_link
enable :read_commit_status
enable :read_build
@@ -318,7 +319,7 @@ class ProjectPolicy < BasePolicy
rule { can?(:developer_access) }.policy do
enable :create_package
- enable :admin_board
+ enable :admin_issue_board
enable :admin_merge_request
enable :admin_milestone
enable :update_merge_request
@@ -368,7 +369,7 @@ class ProjectPolicy < BasePolicy
rule { can?(:maintainer_access) }.policy do
enable :destroy_package
- enable :admin_board
+ enable :admin_issue_board
enable :push_to_delete_protected_branch
enable :update_snippet
enable :admin_snippet
@@ -428,8 +429,8 @@ class ProjectPolicy < BasePolicy
rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue))
- prevent(*create_read_update_admin_destroy(:board))
- prevent(*create_read_update_admin_destroy(:list))
+ prevent(*create_read_update_admin_destroy(:issue_board))
+ prevent(*create_read_update_admin_destroy(:issue_board_list))
end
rule { merge_requests_disabled | repository_disabled }.policy do
@@ -506,8 +507,8 @@ class ProjectPolicy < BasePolicy
rule { can?(:public_access) }.policy do
enable :read_package
enable :read_project
- enable :read_board
- enable :read_list
+ enable :read_issue_board
+ enable :read_issue_board_list
enable :read_wiki
enable :read_label
enable :read_milestone
@@ -640,6 +641,10 @@ class ProjectPolicy < BasePolicy
enable :set_pipeline_variables
end
+ rule { ~security_and_compliance_disabled & can?(:developer_access) }.policy do
+ enable :access_security_and_compliance
+ end
+
private
def user_is_user?