diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/global_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/group_member_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 24 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/work_items/type_policy.rb | 9 |
5 files changed, 36 insertions, 10 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index c3b4b163cb4..2a2ddf29899 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -9,7 +9,7 @@ class GlobalPolicy < BasePolicy with_options scope: :user, score: 0 condition(:access_locked) { @user&.access_locked? } - condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } } + condition(:can_create_fork, scope: :user) { @user && @user.forkable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } } condition(:required_terms_not_accepted, scope: :user, score: 0) do @user&.required_terms_not_accepted? diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index f7a7286aba7..a394b63fc8e 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -5,6 +5,7 @@ class GroupMemberPolicy < BasePolicy with_scope :subject condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) } + condition(:project_bot) { @subject.user&.project_bot? && @subject.group.member?(@subject.user) } desc "Membership is users' own" with_score 0 @@ -20,11 +21,13 @@ class GroupMemberPolicy < BasePolicy prevent :destroy_group_member end - rule { can?(:admin_group_member) }.policy do + rule { ~project_bot & can?(:admin_group_member) }.policy do enable :update_group_member enable :destroy_group_member end + rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member + rule { is_target_user }.policy do enable :destroy_group_member end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 5c4990ffd9b..fee47fe0ae9 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -23,6 +23,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } + desc "User is a project bot" + condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST } + condition(:has_projects) do group_projects_for(user: @user, group: @subject).any? end @@ -75,7 +78,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } - condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) } + condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? } with_scope :subject condition(:group_runner_registration_allowed, score: 0, scope: :subject) do @@ -120,8 +123,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts - enable :read_crm_organization - enable :read_crm_contact end rule { ~public_group & ~has_access }.prevent :read_counts @@ -156,13 +157,14 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_prometheus enable :read_package enable :read_package_settings + enable :read_crm_organization + enable :read_crm_contact end rule { maintainer }.policy do enable :destroy_package enable :create_projects enable :admin_pipeline - enable :admin_group_runners enable :admin_build enable :read_cluster enable :add_cluster @@ -180,6 +182,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_group_member enable :change_visibility_level + enable :read_group_runners + enable :admin_group_runners + enable :register_group_runners + enable :set_note_created_at enable :set_emails_disabled enable :change_prevent_sharing_groups_outside_hierarchy @@ -205,10 +211,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_nested_project_resources end - rule { can?(:admin_group_runners) }.policy do - enable :register_group_runners - end - rule { owner }.enable :create_subgroup rule { maintainer & maintainer_can_create_group }.enable :create_subgroup @@ -250,6 +252,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_dependency_proxy end + rule { project_bot }.enable :project_bot_access + rule { can?(:admin_group) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens enable :destroy_resource_access_tokens @@ -260,6 +264,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :create_resource_access_tokens end + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end + rule { support_bot & has_project_with_service_desk_enabled }.policy do enable :read_label end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index b3aa49a00ae..55f43cd9f7b 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -258,6 +258,11 @@ class ProjectPolicy < BasePolicy rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident + rule { can?(:guest_access) & can?(:create_issue) }.policy do + enable :create_task + enable :create_work_item + end + # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. rule { guest & can?(:download_code) }.enable :build_download_code @@ -399,6 +404,7 @@ class ProjectPolicy < BasePolicy enable :destroy_feature_flag enable :admin_feature_flag enable :admin_feature_flags_user_lists + enable :update_escalation_status end rule { can?(:developer_access) & user_confirmed? }.policy do diff --git a/app/policies/work_items/type_policy.rb b/app/policies/work_items/type_policy.rb new file mode 100644 index 00000000000..c9b3321146a --- /dev/null +++ b/app/policies/work_items/type_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module WorkItems + class TypePolicy < BasePolicy + condition(:is_default_type) { @subject.default? } + + rule { is_default_type }.enable :read_work_item_type + end +end |