summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/ci/runner_policy.rb6
-rw-r--r--app/policies/custom_emoji_policy.rb10
-rw-r--r--app/policies/customer_relations/contact_policy.rb6
-rw-r--r--app/policies/customer_relations/organization_policy.rb6
-rw-r--r--app/policies/dependency_proxy/blob_policy.rb6
-rw-r--r--app/policies/dependency_proxy/group_setting_policy.rb6
-rw-r--r--app/policies/dependency_proxy/image_ttl_group_policy_policy.rb6
-rw-r--r--app/policies/dependency_proxy/manifest_policy.rb6
-rw-r--r--app/policies/group_policy.rb15
-rw-r--r--app/policies/issue_policy.rb8
-rw-r--r--app/policies/user_policy.rb1
11 files changed, 71 insertions, 5 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index de76b7b2b5b..43478cf36c2 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -5,9 +5,9 @@ module Ci
with_options scope: :subject, score: 0
condition(:locked, scope: :subject) { @subject.locked? }
- # rubocop: disable CodeReuse/ActiveRecord
- condition(:owned_runner) { @user.ci_owned_runners.exists?(@subject.id) }
- # rubocop: enable CodeReuse/ActiveRecord
+ condition(:owned_runner) do
+ @user.owns_runner?(@subject)
+ end
rule { anonymous }.prevent_all
diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb
index ba73b9a3782..98d1ab737ee 100644
--- a/app/policies/custom_emoji_policy.rb
+++ b/app/policies/custom_emoji_policy.rb
@@ -2,4 +2,14 @@
class CustomEmojiPolicy < BasePolicy
delegate { @subject.group }
+
+ condition(:author) { @subject.creator == @user }
+
+ rule { can?(:maintainer_access) }.policy do
+ enable :delete_custom_emoji
+ end
+
+ rule { author & can?(:create_custom_emoji) }.policy do
+ enable :delete_custom_emoji
+ end
end
diff --git a/app/policies/customer_relations/contact_policy.rb b/app/policies/customer_relations/contact_policy.rb
new file mode 100644
index 00000000000..8367649b50c
--- /dev/null
+++ b/app/policies/customer_relations/contact_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module CustomerRelations
+ class ContactPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/customer_relations/organization_policy.rb b/app/policies/customer_relations/organization_policy.rb
new file mode 100644
index 00000000000..7bf8d6ff4cb
--- /dev/null
+++ b/app/policies/customer_relations/organization_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module CustomerRelations
+ class OrganizationPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/dependency_proxy/blob_policy.rb b/app/policies/dependency_proxy/blob_policy.rb
new file mode 100644
index 00000000000..42e023952d0
--- /dev/null
+++ b/app/policies/dependency_proxy/blob_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module DependencyProxy
+ class BlobPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/dependency_proxy/group_setting_policy.rb b/app/policies/dependency_proxy/group_setting_policy.rb
new file mode 100644
index 00000000000..71de3cf93bd
--- /dev/null
+++ b/app/policies/dependency_proxy/group_setting_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module DependencyProxy
+ class GroupSettingPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb b/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb
new file mode 100644
index 00000000000..cf7e1ded137
--- /dev/null
+++ b/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module DependencyProxy
+ class ImageTtlGroupPolicyPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/dependency_proxy/manifest_policy.rb b/app/policies/dependency_proxy/manifest_policy.rb
new file mode 100644
index 00000000000..f2e91e45327
--- /dev/null
+++ b/app/policies/dependency_proxy/manifest_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module DependencyProxy
+ class ManifestPolicy < BasePolicy
+ delegate { @subject.group }
+ end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 1d0aa54c1c0..7abffd2c352 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -89,6 +89,7 @@ class GroupPolicy < BasePolicy
rule { guest }.policy do
enable :read_group
enable :upload_file
+ enable :guest_access
end
rule { admin }.policy do
@@ -111,8 +112,13 @@ class GroupPolicy < BasePolicy
enable :read_issue_board
enable :read_group_member
enable :read_custom_emoji
+ enable :read_counts
+ enable :read_organization
+ enable :read_contact
end
+ rule { ~public_group & ~has_access }.prevent :read_counts
+
rule { ~can?(:read_group) }.policy do
prevent :read_design_activity
end
@@ -127,6 +133,7 @@ class GroupPolicy < BasePolicy
enable :create_custom_emoji
enable :create_package
enable :create_package_settings
+ enable :developer_access
end
rule { reporter }.policy do
@@ -140,6 +147,7 @@ class GroupPolicy < BasePolicy
enable :read_prometheus
enable :read_package
enable :read_package_settings
+ enable :admin_organization
end
rule { maintainer }.policy do
@@ -155,6 +163,7 @@ class GroupPolicy < BasePolicy
enable :read_deploy_token
enable :create_jira_connect_subscription
enable :update_runners_registration_token
+ enable :maintainer_access
end
rule { owner }.policy do
@@ -170,6 +179,7 @@ class GroupPolicy < BasePolicy
enable :update_default_branch_protection
enable :create_deploy_token
enable :destroy_deploy_token
+ enable :owner_access
end
rule { can?(:read_nested_project_resources) }.policy do
@@ -223,8 +233,9 @@ class GroupPolicy < BasePolicy
rule { dependency_proxy_access_allowed & dependency_proxy_available }
.enable :read_dependency_proxy
- rule { developer & dependency_proxy_available }
- .enable :admin_dependency_proxy
+ rule { developer & dependency_proxy_available }.policy do
+ enable :admin_dependency_proxy
+ end
rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
enable :read_resource_access_tokens
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 74bed6b6c4e..575e532c615 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -69,6 +69,14 @@ class IssuePolicy < IssuablePolicy
rule { persisted & can?(:admin_issue) }.policy do
enable :set_issue_metadata
end
+
+ rule { can?(:set_issue_metadata) }.policy do
+ enable :set_confidentiality
+ end
+
+ rule { ~persisted & can?(:create_issue) }.policy do
+ enable :set_confidentiality
+ end
end
IssuePolicy.prepend_mod_with('IssuePolicy')
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 067f0f6a9d2..018c061af9f 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -25,6 +25,7 @@ class UserPolicy < BasePolicy
enable :update_user_status
enable :read_user_personal_access_tokens
enable :read_group_count
+ enable :read_user_groups
end
rule { default }.enable :read_user_profile