diff options
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/achievements/achievement_policy.rb | 7 | ||||
| -rw-r--r-- | app/policies/ci/build_policy.rb | 6 | ||||
| -rw-r--r-- | app/policies/ci/job_artifact_policy.rb | 15 | ||||
| -rw-r--r-- | app/policies/description_version_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/email_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/group_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/issuable_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/issue_policy.rb | 11 | ||||
| -rw-r--r-- | app/policies/merge_request_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/note_policy.rb | 10 | ||||
| -rw-r--r-- | app/policies/project_group_link_policy.rb | 17 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
| -rw-r--r-- | app/policies/projects/branch_rule_policy.rb | 8 | ||||
| -rw-r--r-- | app/policies/resource_event_policy.rb | 5 | ||||
| -rw-r--r-- | app/policies/resource_label_event_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/resource_milestone_event_policy.rb | 14 | ||||
| -rw-r--r-- | app/policies/resource_state_event_policy.rb | 10 | ||||
| -rw-r--r-- | app/policies/todo_policy.rb | 10 | ||||
| -rw-r--r-- | app/policies/user_policy.rb | 1 | ||||
| -rw-r--r-- | app/policies/users/namespace_commit_email_policy.rb | 7 |
20 files changed, 126 insertions, 21 deletions
diff --git a/app/policies/achievements/achievement_policy.rb b/app/policies/achievements/achievement_policy.rb new file mode 100644 index 00000000000..9723be0196d --- /dev/null +++ b/app/policies/achievements/achievement_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Achievements + class AchievementPolicy < ::BasePolicy + delegate { @subject.namespace } + end +end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 5ef926ef2e3..ca0b51e1385 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -59,7 +59,7 @@ module Ci @subject.debug_mode? end - condition(:project_read_build, scope: :subject) do + condition(:can_read_project_build, scope: :subject) do can?(:read_build, @subject.project) end @@ -71,7 +71,7 @@ module Ci can?(:developer_access, @subject.project) end - rule { project_read_build }.enable :read_build_trace + rule { can_read_project_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace # Authorizing the user to access to protected entities. @@ -114,7 +114,7 @@ module Ci prevent :create_build_service_proxy end - rule { project_read_build }.enable :read_job_artifacts + rule { can_read_project_build }.enable :read_job_artifacts rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts end end diff --git a/app/policies/ci/job_artifact_policy.rb b/app/policies/ci/job_artifact_policy.rb index e25c7311565..61c935af8ba 100644 --- a/app/policies/ci/job_artifact_policy.rb +++ b/app/policies/ci/job_artifact_policy.rb @@ -3,5 +3,20 @@ module Ci class JobArtifactPolicy < BasePolicy delegate { @subject.job.project } + + condition(:public_access, scope: :subject) do + @subject.public_access? + end + + condition(:can_read_project_build, scope: :subject) do + can?(:read_build, @subject.job.project) + end + + condition(:has_access_to_project) do + can?(:developer_access, @subject.job.project) + end + + rule { can_read_project_build }.enable :read_job_artifacts + rule { ~public_access & ~has_access_to_project }.prevent :read_job_artifacts end end diff --git a/app/policies/description_version_policy.rb b/app/policies/description_version_policy.rb new file mode 100644 index 00000000000..9ee9df3278b --- /dev/null +++ b/app/policies/description_version_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class DescriptionVersionPolicy < BasePolicy + delegate { @subject.issuable } +end diff --git a/app/policies/email_policy.rb b/app/policies/email_policy.rb new file mode 100644 index 00000000000..cf10fa893b4 --- /dev/null +++ b/app/policies/email_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class EmailPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + delegate { @subject.user } +end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 8eea995529c..b2325b7acac 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -126,6 +126,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts + enable :read_achievement end rule { ~public_group & ~has_access }.prevent :read_counts @@ -185,6 +186,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :maintainer_access enable :read_upload enable :destroy_upload + enable :admin_achievement end rule { owner }.policy do diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index aa07bb7dc5f..52796ed1a1d 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -16,6 +16,9 @@ class IssuablePolicy < BasePolicy condition(:is_incident) { @subject.incident? } + desc "Issuable is hidden" + condition(:hidden, scope: :subject) { @subject.hidden? } + rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do enable :read_issue enable :update_issue @@ -55,7 +58,7 @@ class IssuablePolicy < BasePolicy enable :read_issuable_participables end - # This rule replicates permissions in NotePolicy#can_read_confidential + # This rule replicates permissions in NotePolicy#can_read_internal_note rule { can?(:reporter_access) | admin }.policy do enable :read_internal_note end diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 491eebe9daf..d1e35793c64 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -21,9 +21,6 @@ class IssuePolicy < IssuablePolicy desc "Issue is confidential" condition(:confidential, scope: :subject) { @subject.confidential? } - desc "Issue is hidden" - condition(:hidden, scope: :subject) { @subject.hidden? } - desc "Issue is persisted" condition(:persisted, scope: :subject) { @subject.persisted? } @@ -37,7 +34,7 @@ class IssuePolicy < IssuablePolicy prevent :read_note prevent :read_internal_note prevent :set_note_created_at - prevent :mark_note_as_confidential + prevent :mark_note_as_internal # these actions on notes are not available on issues/work items yet, # but preventing any action on work item notes as long as there is no notes widget seems reasonable prevent :resolve_note @@ -91,6 +88,10 @@ class IssuePolicy < IssuablePolicy enable :set_confidentiality end + rule { can?(:guest_access) & can?(:read_issue) }.policy do + enable :admin_issue_relation + end + rule { can_read_crm_contacts }.policy do enable :read_crm_contacts end @@ -100,7 +101,7 @@ class IssuePolicy < IssuablePolicy end rule { can?(:reporter_access) }.policy do - enable :mark_note_as_confidential + enable :mark_note_as_internal end end diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index 1759cf057e4..49f9225a1d3 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -29,6 +29,10 @@ class MergeRequestPolicy < IssuablePolicy enable :update_subscription end + rule { hidden & ~admin }.policy do + prevent :read_merge_request + end + condition(:can_merge) { @subject.can_be_merged_by?(@user) } rule { can_merge }.policy do diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 9fd95bbe42d..ccc095f37da 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -18,7 +18,7 @@ class NotePolicy < BasePolicy condition(:is_visible) { @subject.system_note_visible_for?(@user) } - condition(:confidential, scope: :subject) { @subject.confidential? } + condition(:internal, scope: :subject) { @subject.confidential? } # if noteable is a work item it needs to check the notes widget availability condition(:notes_widget_enabled, scope: :subject) do @@ -28,7 +28,7 @@ class NotePolicy < BasePolicy # Should be matched with IssuablePolicy#read_internal_note # and EpicPolicy#read_internal_note - condition(:can_read_confidential) do + condition(:can_read_internal_note) do access_level >= Gitlab::Access::REPORTER || admin? end @@ -67,11 +67,11 @@ class NotePolicy < BasePolicy enable :resolve_note end - rule { can_read_confidential }.policy do - enable :mark_note_as_confidential + rule { can_read_internal_note }.policy do + enable :mark_note_as_internal end - rule { confidential & ~can_read_confidential }.policy do + rule { internal & ~can_read_internal_note }.policy do prevent :read_note prevent :admin_note prevent :resolve_note diff --git a/app/policies/project_group_link_policy.rb b/app/policies/project_group_link_policy.rb new file mode 100644 index 00000000000..00bb246d70b --- /dev/null +++ b/app/policies/project_group_link_policy.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + condition(:group_owner_or_project_admin) { group_owner? || project_admin? } + + rule { group_owner_or_project_admin }.enable :admin_project_group_link + + private + + def group_owner? + can?(:admin_group, @subject.group) + end + + def project_admin? + can?(:admin_project, @subject.project) + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index fd3dbb54d57..b85a57f81cd 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -526,6 +526,7 @@ class ProjectPolicy < BasePolicy enable :read_upload enable :destroy_upload enable :admin_incident_management_timeline_event_tag + enable :stop_environment end rule { public_project & metrics_dashboard_allowed }.policy do diff --git a/app/policies/projects/branch_rule_policy.rb b/app/policies/projects/branch_rule_policy.rb new file mode 100644 index 00000000000..9ea15ea26d4 --- /dev/null +++ b/app/policies/projects/branch_rule_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +module Projects + class BranchRulePolicy < ::ProtectedBranchPolicy + end +end + +Projects::BranchRulePolicy.prepend_mod diff --git a/app/policies/resource_event_policy.rb b/app/policies/resource_event_policy.rb new file mode 100644 index 00000000000..d8142212927 --- /dev/null +++ b/app/policies/resource_event_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ResourceEventPolicy < BasePolicy + condition(:can_read_issuable) { can?(:"read_#{@subject.issuable.to_ability_name}", @subject.issuable) } +end diff --git a/app/policies/resource_label_event_policy.rb b/app/policies/resource_label_event_policy.rb index de4748d9890..d9c2eed72e7 100644 --- a/app/policies/resource_label_event_policy.rb +++ b/app/policies/resource_label_event_policy.rb @@ -1,8 +1,7 @@ # frozen_string_literal: true -class ResourceLabelEventPolicy < BasePolicy +class ResourceLabelEventPolicy < ResourceEventPolicy condition(:can_read_label) { @subject.label_id.nil? || can?(:read_label, @subject.label) } - condition(:can_read_issuable) { can?(:"read_#{@subject.issuable.to_ability_name}", @subject.issuable) } rule { can_read_label }.policy do enable :read_label @@ -10,5 +9,6 @@ class ResourceLabelEventPolicy < BasePolicy rule { can_read_label & can_read_issuable }.policy do enable :read_resource_label_event + enable :read_note end end diff --git a/app/policies/resource_milestone_event_policy.rb b/app/policies/resource_milestone_event_policy.rb new file mode 100644 index 00000000000..10a1f86fb85 --- /dev/null +++ b/app/policies/resource_milestone_event_policy.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +class ResourceMilestoneEventPolicy < ResourceEventPolicy + condition(:can_read_milestone) { @subject.milestone_id.nil? || can?(:read_milestone, @subject.milestone) } + + rule { can_read_milestone }.policy do + enable :read_milestone + end + + rule { can_read_milestone & can_read_issuable }.policy do + enable :read_resource_milestone_event + enable :read_note + end +end diff --git a/app/policies/resource_state_event_policy.rb b/app/policies/resource_state_event_policy.rb new file mode 100644 index 00000000000..34df2e96eb8 --- /dev/null +++ b/app/policies/resource_state_event_policy.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +class ResourceStateEventPolicy < ResourceEventPolicy + condition(:can_read_issuable) { can?(:"read_#{@subject.issuable.to_ability_name}", @subject.issuable) } + + rule { can_read_issuable }.policy do + enable :read_resource_state_event + enable :read_note + end +end diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb index d63eb9407f8..3b4be29664f 100644 --- a/app/policies/todo_policy.rb +++ b/app/policies/todo_policy.rb @@ -11,18 +11,18 @@ class TodoPolicy < BasePolicy @user && @subject.target&.readable_by?(@user) end - desc "Todo has confidential note" - condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? } + desc "Todo has internal note" + condition(:has_internal_note, scope: :subject) { @subject&.note&.confidential? } - desc "User can read the todo's confidential note" - condition(:can_read_todo_confidential_note) do + desc "User can read the todo's internal note" + condition(:can_read_todo_internal_note) do @user && @user.can?(:read_internal_note, @subject.target) end rule { own_todo & can_read_target }.enable :read_todo rule { can?(:read_todo) }.enable :update_todo - rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do + rule { has_internal_note & ~can_read_todo_internal_note }.policy do prevent :read_todo prevent :update_todo end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 4f3dafbf5c8..ed5b01e52b4 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -30,6 +30,7 @@ class UserPolicy < BasePolicy enable :read_group_count enable :read_user_groups enable :read_saved_replies + enable :read_user_email_address end rule { default }.enable :read_user_profile diff --git a/app/policies/users/namespace_commit_email_policy.rb b/app/policies/users/namespace_commit_email_policy.rb new file mode 100644 index 00000000000..849ebd04688 --- /dev/null +++ b/app/policies/users/namespace_commit_email_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Users + class NamespaceCommitEmailPolicy < BasePolicy + delegate { @subject.user } + end +end |