summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--app/policies/group_member_policy.rb5
-rw-r--r--app/policies/group_policy.rb24
-rw-r--r--app/policies/project_policy.rb6
-rw-r--r--app/policies/work_items/type_policy.rb9
5 files changed, 36 insertions, 10 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index c3b4b163cb4..2a2ddf29899 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -9,7 +9,7 @@ class GlobalPolicy < BasePolicy
with_options scope: :user, score: 0
condition(:access_locked) { @user&.access_locked? }
- condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
+ condition(:can_create_fork, scope: :user) { @user && @user.forkable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
condition(:required_terms_not_accepted, scope: :user, score: 0) do
@user&.required_terms_not_accepted?
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index f7a7286aba7..a394b63fc8e 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -5,6 +5,7 @@ class GroupMemberPolicy < BasePolicy
with_scope :subject
condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) }
+ condition(:project_bot) { @subject.user&.project_bot? && @subject.group.member?(@subject.user) }
desc "Membership is users' own"
with_score 0
@@ -20,11 +21,13 @@ class GroupMemberPolicy < BasePolicy
prevent :destroy_group_member
end
- rule { can?(:admin_group_member) }.policy do
+ rule { ~project_bot & can?(:admin_group_member) }.policy do
enable :update_group_member
enable :destroy_group_member
end
+ rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member
+
rule { is_target_user }.policy do
enable :destroy_group_member
end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 5c4990ffd9b..fee47fe0ae9 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -23,6 +23,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
+ desc "User is a project bot"
+ condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
+
condition(:has_projects) do
group_projects_for(user: @user, group: @subject).any?
end
@@ -75,7 +78,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
with_scope :subject
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
- condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
+ condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
with_scope :subject
condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
@@ -120,8 +123,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :read_group_member
enable :read_custom_emoji
enable :read_counts
- enable :read_crm_organization
- enable :read_crm_contact
end
rule { ~public_group & ~has_access }.prevent :read_counts
@@ -156,13 +157,14 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :read_prometheus
enable :read_package
enable :read_package_settings
+ enable :read_crm_organization
+ enable :read_crm_contact
end
rule { maintainer }.policy do
enable :destroy_package
enable :create_projects
enable :admin_pipeline
- enable :admin_group_runners
enable :admin_build
enable :read_cluster
enable :add_cluster
@@ -180,6 +182,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :admin_group_member
enable :change_visibility_level
+ enable :read_group_runners
+ enable :admin_group_runners
+ enable :register_group_runners
+
enable :set_note_created_at
enable :set_emails_disabled
enable :change_prevent_sharing_groups_outside_hierarchy
@@ -205,10 +211,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :read_nested_project_resources
end
- rule { can?(:admin_group_runners) }.policy do
- enable :register_group_runners
- end
-
rule { owner }.enable :create_subgroup
rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
@@ -250,6 +252,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :admin_dependency_proxy
end
+ rule { project_bot }.enable :project_bot_access
+
rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
enable :read_resource_access_tokens
enable :destroy_resource_access_tokens
@@ -260,6 +264,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :create_resource_access_tokens
end
+ rule { can?(:project_bot_access) }.policy do
+ prevent :create_resource_access_tokens
+ end
+
rule { support_bot & has_project_with_service_desk_enabled }.policy do
enable :read_label
end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b3aa49a00ae..55f43cd9f7b 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,11 @@ class ProjectPolicy < BasePolicy
rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident
+ rule { can?(:guest_access) & can?(:create_issue) }.policy do
+ enable :create_task
+ enable :create_work_item
+ end
+
# These abilities are not allowed to admins that are not members of the project,
# that's why they are defined separately.
rule { guest & can?(:download_code) }.enable :build_download_code
@@ -399,6 +404,7 @@ class ProjectPolicy < BasePolicy
enable :destroy_feature_flag
enable :admin_feature_flag
enable :admin_feature_flags_user_lists
+ enable :update_escalation_status
end
rule { can?(:developer_access) & user_confirmed? }.policy do
diff --git a/app/policies/work_items/type_policy.rb b/app/policies/work_items/type_policy.rb
new file mode 100644
index 00000000000..c9b3321146a
--- /dev/null
+++ b/app/policies/work_items/type_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module WorkItems
+ class TypePolicy < BasePolicy
+ condition(:is_default_type) { @subject.default? }
+
+ rule { is_default_type }.enable :read_work_item_type
+ end
+end
View Lorry Controller Status