diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/ci/runner_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/deployment_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/namespaces/group_project_namespace_shared_policy.rb | 14 | ||||
-rw-r--r-- | app/policies/namespaces/project_namespace_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/namespaces/user_namespace_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/project_hook_policy.rb | 10 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 27 | ||||
-rw-r--r-- | app/policies/system_hook_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/time_tracking/timelog_category_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/upload_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/work_item_policy.rb | 3 |
13 files changed, 85 insertions, 7 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 6dfe9cc496b..8a99f4d1a3e 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -31,3 +31,5 @@ module Ci rule { ~admin & locked }.prevent :assign_runner end end + +Ci::RunnerPolicy.prepend_mod_with('Ci::RunnerPolicy') diff --git a/app/policies/deployment_policy.rb b/app/policies/deployment_policy.rb index 1a92b735e36..70b2e864094 100644 --- a/app/policies/deployment_policy.rb +++ b/app/policies/deployment_policy.rb @@ -24,3 +24,5 @@ class DeploymentPolicy < BasePolicy prevent :update_deployment end end + +DeploymentPolicy.prepend_mod_with('DeploymentPolicy') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 50b6f4bbe15..44393539327 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -180,7 +180,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_deploy_token enable :create_jira_connect_subscription enable :maintainer_access - enable :maintain_namespace + enable :read_upload + enable :destroy_upload end rule { owner }.policy do diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index f1efcb25331..3c5e1020c8a 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -44,6 +44,10 @@ class IssuablePolicy < BasePolicy rule { can?(:read_issue) & can?(:developer_access) }.policy do enable :admin_incident_management_timeline_event end + + rule { can?(:reporter_access) }.policy do + enable :create_timelog + end end IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb index 1ed9f05306f..bfb1706bc5a 100644 --- a/app/policies/namespaces/group_project_namespace_shared_policy.rb +++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb @@ -2,8 +2,20 @@ module Namespaces class GroupProjectNamespaceSharedPolicy < ::NamespacePolicy - # Nothing here at the moment, but as we move policies from ProjectPolicy to ProjectNamespacePolicy, + # As we move policies from ProjectPolicy to ProjectNamespacePolicy, # anything common with GroupPolicy but not with UserNamespacePolicy can go in here. # See https://gitlab.com/groups/gitlab-org/-/epics/6689 + + condition(:timelog_categories_enabled, score: 0, scope: :subject) do + Feature.enabled?(:timelog_categories, @subject) + end + + rule { ~timelog_categories_enabled }.policy do + prevent :read_timelog_category + end + + rule { can?(:reporter_access) }.policy do + enable :read_timelog_category + end end end diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb index 33aadc7c411..500c325138e 100644 --- a/app/policies/namespaces/project_namespace_policy.rb +++ b/app/policies/namespaces/project_namespace_policy.rb @@ -2,8 +2,8 @@ module Namespaces class ProjectNamespacePolicy < Namespaces::GroupProjectNamespaceSharedPolicy - # For now users are not granted any permissions on project namespace - # as it's completely hidden to them. When we start using project - # namespaces in queries, we will have to extend this policy. + # TODO: once https://gitlab.com/gitlab-org/gitlab/-/issues/364277 is solved, this + # should not be necessary anymore, and should be replaced with `delegate(:project)`. + delegate(:reload_project) end end diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 26112332003..028247497e5 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -11,7 +11,6 @@ module Namespaces enable :owner_access enable :create_projects enable :admin_namespace - enable :maintain_namespace enable :read_namespace enable :read_statistics enable :create_jira_connect_subscription diff --git a/app/policies/project_hook_policy.rb b/app/policies/project_hook_policy.rb new file mode 100644 index 00000000000..c177fabb1ba --- /dev/null +++ b/app/policies/project_hook_policy.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +class ProjectHookPolicy < ::BasePolicy + delegate(:project) + + rule { can?(:admin_project) }.policy do + enable :read_web_hook + enable :destroy_web_hook + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 54270dc186e..f4f7275a78a 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -209,6 +209,9 @@ class ProjectPolicy < BasePolicy analytics operations security_and_compliance + environments + feature_flags + releases ] features.each do |f| @@ -366,7 +369,11 @@ class ProjectPolicy < BasePolicy prevent(:metrics_dashboard) end - rule { operations_disabled }.policy do + condition(:split_operations_visibility_permissions) do + ::Feature.enabled?(:split_operations_visibility_permissions, @subject) + end + + rule { ~split_operations_visibility_permissions & operations_disabled }.policy do prevent(*create_read_update_admin_destroy(:feature_flag)) prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:sentry_issue)) @@ -379,6 +386,21 @@ class ProjectPolicy < BasePolicy prevent(:read_prometheus) end + rule { split_operations_visibility_permissions & environments_disabled }.policy do + prevent(*create_read_update_admin_destroy(:environment)) + prevent(*create_read_update_admin_destroy(:deployment)) + end + + rule { split_operations_visibility_permissions & feature_flags_disabled }.policy do + prevent(*create_read_update_admin_destroy(:feature_flag)) + prevent(:admin_feature_flags_user_lists) + prevent(:admin_feature_flags_client) + end + + rule { split_operations_visibility_permissions & releases_disabled }.policy do + prevent(*create_read_update_admin_destroy(:release)) + end + rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus enable :read_deployment @@ -470,6 +492,7 @@ class ProjectPolicy < BasePolicy enable :admin_pipeline enable :admin_environment enable :admin_deployment + enable :destroy_deployment enable :admin_pages enable :read_pages enable :update_pages @@ -497,6 +520,8 @@ class ProjectPolicy < BasePolicy enable :admin_project_google_cloud enable :admin_secure_files enable :read_web_hooks + enable :read_upload + enable :destroy_upload end rule { public_project & metrics_dashboard_allowed }.policy do diff --git a/app/policies/system_hook_policy.rb b/app/policies/system_hook_policy.rb new file mode 100644 index 00000000000..ec28d39a5fa --- /dev/null +++ b/app/policies/system_hook_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +class SystemHookPolicy < ::BasePolicy + rule { admin }.policy do + enable :read_web_hook + enable :destroy_web_hook + end +end diff --git a/app/policies/time_tracking/timelog_category_policy.rb b/app/policies/time_tracking/timelog_category_policy.rb new file mode 100644 index 00000000000..89161cdacfb --- /dev/null +++ b/app/policies/time_tracking/timelog_category_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module TimeTracking + class TimelogCategoryPolicy < BasePolicy + delegate { @subject.namespace } + end +end diff --git a/app/policies/upload_policy.rb b/app/policies/upload_policy.rb new file mode 100644 index 00000000000..c7fde5d9df4 --- /dev/null +++ b/app/policies/upload_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class UploadPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + delegate { @subject.model } +end diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb index 2f3561f1135..1ccc152bc6b 100644 --- a/app/policies/work_item_policy.rb +++ b/app/policies/work_item_policy.rb @@ -3,9 +3,12 @@ class WorkItemPolicy < IssuePolicy condition(:is_member_and_author) { is_project_member? & is_author? } + rule { can?(:admin_issue) }.enable :admin_work_item + rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item rule { can?(:update_issue) }.enable :update_work_item + rule { can?(:set_issue_metadata) }.enable :set_work_item_metadata rule { can?(:read_issue) }.enable :read_work_item # because IssuePolicy delegates to ProjectPolicy and |