9 files changed, 79 insertions, 25 deletions

diff --git a/app/policies/ci/resource_group_policy.rb b/app/policies/ci/resource_group_policy.rb
new file mode 100644
index 00000000000..ef384265b11
--- /dev/null
+++ b/app/policies/ci/resource_group_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ci
+  class ResourceGroupPolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end
diff --git a/app/policies/clusters/agent_policy.rb b/app/policies/clusters/agent_policy.rb
new file mode 100644
index 00000000000..25e78c84802
--- /dev/null
+++ b/app/policies/clusters/agent_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Clusters
+  class AgentPolicy < BasePolicy
+    alias_method :cluster_agent, :subject
+
+    delegate { cluster_agent.project }
+  end
+end
diff --git a/app/policies/clusters/agent_token_policy.rb b/app/policies/clusters/agent_token_policy.rb
new file mode 100644
index 00000000000..e876ecfac26
--- /dev/null
+++ b/app/policies/clusters/agent_token_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Clusters
+  class AgentTokenPolicy < BasePolicy
+    alias_method :token, :subject
+
+    delegate { token.agent }
+  end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7abffd2c352..64395f69c42 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -134,6 +134,8 @@ class GroupPolicy < BasePolicy
     enable :create_package
     enable :create_package_settings
     enable :developer_access
+    enable :admin_organization
+    enable :admin_contact
   end
 
   rule { reporter }.policy do
@@ -147,7 +149,6 @@ class GroupPolicy < BasePolicy
     enable :read_prometheus
     enable :read_package
     enable :read_package_settings
-    enable :admin_organization
   end
 
   rule { maintainer }.policy do
@@ -162,7 +163,6 @@ class GroupPolicy < BasePolicy
     enable :admin_cluster
     enable :read_deploy_token
     enable :create_jira_connect_subscription
-    enable :update_runners_registration_token
     enable :maintainer_access
   end
 
@@ -179,6 +179,7 @@ class GroupPolicy < BasePolicy
     enable :update_default_branch_protection
     enable :create_deploy_token
     enable :destroy_deploy_token
+    enable :update_runners_registration_token
     enable :owner_access
   end
 
diff --git a/app/policies/list_policy.rb b/app/policies/list_policy.rb
new file mode 100644
index 00000000000..97845746546
--- /dev/null
+++ b/app/policies/list_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ListPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
+  delegate { @subject.board.resource_parent }
+end
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index dcbeda9f5d3..0cf1bcb9737 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -1,26 +1,9 @@
 # frozen_string_literal: true
 
-class NamespacePolicy < BasePolicy
-  rule { anonymous }.prevent_all
-
-  condition(:personal_project, scope: :subject) { @subject.kind == 'user' }
-  condition(:can_create_personal_project, scope: :user) { @user.can_create_project? }
-  condition(:owner) { @subject.owner == @user }
-
-  rule { owner | admin }.policy do
-    enable :owner_access
-    enable :create_projects
-    enable :admin_namespace
-    enable :read_namespace
-    enable :read_statistics
-    enable :create_jira_connect_subscription
-    enable :create_package_settings
-    enable :read_package_settings
-  end
-
-  rule { personal_project & ~can_create_personal_project }.prevent :create_projects
-
-  rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
+class NamespacePolicy < ::Namespaces::UserNamespacePolicy
+  # NamespacePolicy has been traditionally for user namespaces.
+  # So these policies have been moved into Namespaces::UserNamespacePolicy.
+  # Once the user namespace conversion is complete, we can look at
+  # either removing this file or locating common namespace policy items
+  # here.
 end
-
-NamespacePolicy.prepend_mod_with('NamespacePolicy')
diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb
new file mode 100644
index 00000000000..bc08a7a45ed
--- /dev/null
+++ b/app/policies/namespaces/project_namespace_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Namespaces
+  class ProjectNamespacePolicy < BasePolicy
+    # For now users are not granted any permissions on project namespace
+    # as it's completely hidden to them. When we start using project
+    # namespaces in queries, we will have to extend this policy.
+  end
+end
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
new file mode 100644
index 00000000000..f8b285e5312
--- /dev/null
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Namespaces
+  class UserNamespacePolicy < BasePolicy
+    rule { anonymous }.prevent_all
+
+    condition(:personal_project, scope: :subject) { @subject.kind == 'user' }
+    condition(:can_create_personal_project, scope: :user) { @user.can_create_project? }
+    condition(:owner) { @subject.owner == @user }
+
+    rule { owner | admin }.policy do
+      enable :owner_access
+      enable :create_projects
+      enable :admin_namespace
+      enable :read_namespace
+      enable :read_statistics
+      enable :create_jira_connect_subscription
+      enable :create_package_settings
+      enable :read_package_settings
+    end
+
+    rule { personal_project & ~can_create_personal_project }.prevent :create_projects
+
+    rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
+  end
+end
+
+Namespaces::UserNamespacePolicy.prepend_mod_with('Namespaces::UserNamespacePolicy')
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 54b11ea6041..59aa47beff9 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -357,6 +357,8 @@ class ProjectPolicy < BasePolicy
     enable :update_commit_status
     enable :create_build
     enable :update_build
+    enable :read_resource_group
+    enable :update_resource_group
     enable :create_merge_request_from
     enable :create_wiki
     enable :push_code
@@ -436,6 +438,7 @@ class ProjectPolicy < BasePolicy
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
     enable :update_runners_registration_token
+    enable :manage_project_google_cloud
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do