diff options
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/analytics/instance_statistics/measurement_policy.rb | 9 | ||||
| -rw-r--r-- | app/policies/ci/build_policy.rb | 11 | ||||
| -rw-r--r-- | app/policies/global_policy.rb | 1 | ||||
| -rw-r--r-- | app/policies/group_member_policy.rb | 6 | ||||
| -rw-r--r-- | app/policies/group_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/namespace/package_setting_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/namespace_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/packages/composer/metadatum_policy.rb | 8 | ||||
| -rw-r--r-- | app/policies/packages/tag_policy.rb | 6 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 9 |
10 files changed, 60 insertions, 2 deletions
diff --git a/app/policies/analytics/instance_statistics/measurement_policy.rb b/app/policies/analytics/instance_statistics/measurement_policy.rb new file mode 100644 index 00000000000..3d6a5a08ff6 --- /dev/null +++ b/app/policies/analytics/instance_statistics/measurement_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Analytics + module InstanceStatistics + class MeasurementPolicy < BasePolicy + delegate { :global } + end + end +end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 7e69e1fdd88..65f2a70672b 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -37,6 +37,10 @@ module Ci @subject.archived? end + condition(:artifacts_public, scope: :subject) do + @subject.artifacts_public? + end + condition(:terminal, scope: :subject) do @subject.has_terminal? end @@ -57,6 +61,10 @@ module Ci can?(:update_build, @subject.project) end + condition(:project_developer) do + can?(:developer_access, @subject.project) + end + rule { project_read_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace @@ -94,6 +102,9 @@ module Ci rule { ~can?(:build_service_proxy_enabled) }.policy do prevent :create_build_service_proxy end + + rule { project_read_build }.enable :read_job_artifacts + rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index b5c1ec0181e..9c79a797a6a 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -100,6 +100,7 @@ class GlobalPolicy < BasePolicy enable :update_custom_attribute enable :approve_user enable :reject_user + enable :read_instance_statistics_measurements end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index 78a2be7a9f8..09cac96e3a5 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -10,7 +10,11 @@ class GroupMemberPolicy < BasePolicy with_score 0 condition(:is_target_user) { @user && @subject.user_id == @user.id } - rule { anonymous }.prevent_all + rule { anonymous }.policy do + prevent :update_group_member + prevent :destroy_group_member + end + rule { last_owner }.policy do prevent :update_group_member prevent :destroy_group_member diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 7d0db222eaf..7dd88fcc1ff 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -66,7 +66,7 @@ class GroupPolicy < BasePolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } - rule { design_management_enabled }.policy do + rule { can?(:read_group) & design_management_enabled }.policy do enable :read_design_activity end @@ -116,17 +116,20 @@ class GroupPolicy < BasePolicy enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation enable :create_custom_emoji + enable :create_package_settings end rule { reporter }.policy do enable :reporter_access enable :read_container_image + enable :admin_board enable :admin_label enable :admin_list enable :admin_issue enable :read_metrics_dashboard_annotation enable :read_prometheus enable :read_package + enable :read_package_settings end rule { maintainer }.policy do diff --git a/app/policies/namespace/package_setting_policy.rb b/app/policies/namespace/package_setting_policy.rb new file mode 100644 index 00000000000..7fe388c633e --- /dev/null +++ b/app/policies/namespace/package_setting_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class Namespace::PackageSettingPolicy < BasePolicy + delegate { @subject.namespace } +end diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index b1d680b4264..13eb4a13cac 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -14,6 +14,8 @@ class NamespacePolicy < BasePolicy enable :read_namespace enable :read_statistics enable :create_jira_connect_subscription + enable :create_package_settings + enable :read_package_settings end rule { personal_project & ~can_create_personal_project }.prevent :create_projects diff --git a/app/policies/packages/composer/metadatum_policy.rb b/app/policies/packages/composer/metadatum_policy.rb new file mode 100644 index 00000000000..66bac31f48f --- /dev/null +++ b/app/policies/packages/composer/metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Composer + class MetadatumPolicy < BasePolicy + delegate { @subject.package } + end + end +end diff --git a/app/policies/packages/tag_policy.rb b/app/policies/packages/tag_policy.rb new file mode 100644 index 00000000000..84bad30470a --- /dev/null +++ b/app/policies/packages/tag_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module Packages + class TagPolicy < BasePolicy + delegate { @subject.package } + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 3b8c59c6bf8..03cb53f55be 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy ::Feature.enabled?(:build_service_proxy, @subject) end + condition(:user_defined_variables_allowed) do + !@subject.restrict_user_defined_variables? + end + with_scope :subject condition(:packages_disabled) { !@subject.packages_enabled } @@ -236,6 +240,7 @@ class ProjectPolicy < BasePolicy enable :read_commit_status enable :read_build enable :read_container_image + enable :read_deploy_board enable :read_pipeline enable :read_pipeline_schedule enable :read_environment @@ -615,6 +620,10 @@ class ProjectPolicy < BasePolicy enable :admin_resource_access_tokens end + rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do + enable :set_pipeline_variables + end + private def user_is_user? |