diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/blob_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/ci/build_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/commit_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/commit_signatures/gpg_signature_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/commit_signatures/x509_commit_signature_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/concerns/member_policy_helpers.rb | 19 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/group_member_policy.rb | 14 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/incident_management/timeline_event_tag_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/packages/policies/project_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/project_member_policy.rb | 15 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 31 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 1 |
16 files changed, 109 insertions, 19 deletions
diff --git a/app/policies/blob_policy.rb b/app/policies/blob_policy.rb index 639b9dfeea7..8220b035603 100644 --- a/app/policies/blob_policy.rb +++ b/app/policies/blob_policy.rb @@ -3,5 +3,5 @@ class BlobPolicy < BasePolicy delegate { @subject.project } - rule { can?(:download_code) }.enable :read_blob + rule { can?(:read_code) }.enable :read_blob end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index b657b569e3e..5ef926ef2e3 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -27,8 +27,8 @@ module Ci false end - condition(:prevent_rollback) do - @subject.prevent_rollback_deployment? + condition(:outdated_deployment) do + @subject.outdated_deployment? end condition(:owner_of_job) do @@ -77,12 +77,14 @@ module Ci # Authorizing the user to access to protected entities. # There is a "jailbreak" mode to exceptionally bypass the authorization, # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. - rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment | prevent_rollback) }.policy do + rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build end + rule { outdated_deployment }.prevent :update_build + rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build rule { can?(:public_access) & branch_allows_collaboration }.policy do diff --git a/app/policies/commit_policy.rb b/app/policies/commit_policy.rb index 4b358c45ec2..66ec2c5ce56 100644 --- a/app/policies/commit_policy.rb +++ b/app/policies/commit_policy.rb @@ -3,6 +3,6 @@ class CommitPolicy < BasePolicy delegate { @subject.project } - rule { can?(:download_code) }.enable :read_commit + rule { can?(:read_code) }.enable :read_commit rule { ~can?(:read_commit) }.prevent :create_note end diff --git a/app/policies/commit_signatures/gpg_signature_policy.rb b/app/policies/commit_signatures/gpg_signature_policy.rb new file mode 100644 index 00000000000..518a289c1f3 --- /dev/null +++ b/app/policies/commit_signatures/gpg_signature_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module CommitSignatures + class GpgSignaturePolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/commit_signatures/x509_commit_signature_policy.rb b/app/policies/commit_signatures/x509_commit_signature_policy.rb new file mode 100644 index 00000000000..6b2477797fc --- /dev/null +++ b/app/policies/commit_signatures/x509_commit_signature_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module CommitSignatures + class X509CommitSignaturePolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/concerns/member_policy_helpers.rb b/app/policies/concerns/member_policy_helpers.rb new file mode 100644 index 00000000000..6c4a3caf8bf --- /dev/null +++ b/app/policies/concerns/member_policy_helpers.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module MemberPolicyHelpers + extend ActiveSupport::Concern + + private + + def record_is_access_request_of_self? + record_is_access_request? && record_belongs_to_self? + end + + def record_is_access_request? + @subject.request? # rubocop:disable Gitlab/ModuleWithInstanceVariables + end + + def record_belongs_to_self? + @user && @subject.user == @user # rubocop:disable Gitlab/ModuleWithInstanceVariables + end +end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 406144b7a5c..fa7b117f3cd 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -120,8 +120,6 @@ class GlobalPolicy < BasePolicy # We can't use `read_statistics` because the user may have different permissions for different projects rule { admin }.enable :use_project_statistics_filters - rule { admin }.enable :delete_runners - rule { external_user }.prevent :create_snippet end diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index a394b63fc8e..f61f758a8e8 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class GroupMemberPolicy < BasePolicy + include MemberPolicyHelpers + delegate :group with_scope :subject @@ -9,7 +11,11 @@ class GroupMemberPolicy < BasePolicy desc "Membership is users' own" with_score 0 - condition(:is_target_user) { @user && @subject.user_id == @user.id } + condition(:target_is_self) { record_belongs_to_self? } + + desc "Membership is users' own access request" + with_score 0 + condition(:access_request_of_self) { record_is_access_request_of_self? } rule { anonymous }.policy do prevent :update_group_member @@ -28,9 +34,13 @@ class GroupMemberPolicy < BasePolicy rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member - rule { is_target_user }.policy do + rule { target_is_self }.policy do enable :destroy_group_member end + + rule { access_request_of_self }.policy do + enable :withdraw_member_access_request + end end GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 7a0fb10928a..806c57bab74 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -22,7 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? } condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } - condition(:migration_bot, scope: :user) { @user.migration_bot? } + condition(:migration_bot, scope: :user) { @user&.migration_bot? } condition(:can_read_group_member) { can_read_group_member? } desc "User is a project bot" @@ -283,6 +283,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy prevent :create_resource_access_tokens end + rule { can?(:admin_group_member) }.policy do + # ability to read, approve or reject member access requests of other users + enable :admin_member_access_request + end + rule { support_bot & has_project_with_service_desk_enabled }.policy do enable :read_label end diff --git a/app/policies/incident_management/timeline_event_tag_policy.rb b/app/policies/incident_management/timeline_event_tag_policy.rb new file mode 100644 index 00000000000..e2268d917b4 --- /dev/null +++ b/app/policies/incident_management/timeline_event_tag_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module IncidentManagement + class TimelineEventTagPolicy < ::BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index df065b24e64..aa07bb7dc5f 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -56,7 +56,7 @@ class IssuablePolicy < BasePolicy end # This rule replicates permissions in NotePolicy#can_read_confidential - rule { can?(:reporter_access) | assignee_or_author | admin }.policy do + rule { can?(:reporter_access) | admin }.policy do enable :read_internal_note end end diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index dbfc63a0069..67b57595beb 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -23,7 +23,7 @@ class NotePolicy < BasePolicy # Should be matched with IssuablePolicy#read_internal_note # and EpicPolicy#read_internal_note condition(:can_read_confidential) do - access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin? + access_level >= Gitlab::Access::REPORTER || admin? end rule { ~editable }.prevent :admin_note diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb index c754d24349a..0fb5953f2aa 100644 --- a/app/policies/packages/policies/project_policy.rb +++ b/app/policies/packages/policies/project_policy.rb @@ -52,3 +52,5 @@ module Packages end end end + +Packages::Policies::ProjectPolicy.prepend_mod_with('Packages::Policies::ProjectPolicy') diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb index 40ba30fce5e..bcfc7c87d41 100644 --- a/app/policies/project_member_policy.rb +++ b/app/policies/project_member_policy.rb @@ -1,13 +1,18 @@ # frozen_string_literal: true class ProjectMemberPolicy < BasePolicy + include MemberPolicyHelpers delegate { @subject.project } condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do @subject.project.personal_namespace_holder?(@subject.user) end - condition(:target_is_self) { @user && @subject.user == @user } + desc "Membership is users' own access request" + with_score 0 + condition(:access_request_of_self) { record_is_access_request_of_self? } + + condition(:target_is_self) { record_belongs_to_self? } condition(:project_bot) { @subject.user&.project_bot? } rule { anonymous }.prevent_all @@ -24,5 +29,11 @@ class ProjectMemberPolicy < BasePolicy rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member - rule { target_is_self }.enable :destroy_project_member + rule { target_is_self }.policy do + enable :destroy_project_member + end + + rule { access_request_of_self }.policy do + enable :withdraw_member_access_request + end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 77bdf9d62fc..bfeb1a602ab 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -195,8 +195,6 @@ class ProjectPolicy < BasePolicy with_scope :subject condition(:packages_disabled) { !@subject.packages_enabled } - condition(:work_items_enabled, scope: :subject) { project&.work_items_feature_flag_enabled? } - features = %w[ merge_requests issues @@ -213,6 +211,7 @@ class ProjectPolicy < BasePolicy environments feature_flags releases + infrastructure ] features.each do |f| @@ -255,7 +254,6 @@ class ProjectPolicy < BasePolicy enable :change_namespace enable :change_visibility_level - enable :rename_project enable :remove_project enable :archive_project enable :remove_fork_project @@ -303,7 +301,7 @@ class ProjectPolicy < BasePolicy rule { can?(:create_issue) }.enable :create_work_item - rule { can?(:create_issue) & work_items_enabled }.enable :create_task + rule { can?(:create_issue) }.enable :create_task # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. @@ -409,6 +407,14 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:alert_management_alert)) end + rule { split_operations_visibility_permissions & infrastructure_disabled }.policy do + prevent(*create_read_update_admin_destroy(:terraform_state)) + prevent(*create_read_update_admin_destroy(:cluster)) + prevent(:read_pod_logs) + prevent(:read_prometheus) + prevent(:admin_project_google_cloud) + end + rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus enable :read_deployment @@ -490,6 +496,7 @@ class ProjectPolicy < BasePolicy enable :push_to_delete_protected_branch enable :update_snippet enable :admin_snippet + enable :rename_project enable :admin_project_member enable :admin_note enable :admin_wiki @@ -530,6 +537,7 @@ class ProjectPolicy < BasePolicy enable :read_web_hooks enable :read_upload enable :destroy_upload + enable :admin_incident_management_timeline_event_tag end rule { public_project & metrics_dashboard_allowed }.policy do @@ -624,7 +632,6 @@ class ProjectPolicy < BasePolicy prevent :read_commit_status prevent :read_pipeline prevent :read_pipeline_schedule - prevent(*create_read_update_admin_destroy(:release)) prevent(*create_read_update_admin_destroy(:feature_flag)) prevent(:admin_feature_flags_user_lists) end @@ -729,6 +736,10 @@ class ProjectPolicy < BasePolicy enable :read_work_item end + rule { can?(:read_merge_request) }.policy do + enable :read_vulnerability_merge_request_link + end + rule { can?(:developer_access) }.policy do enable :read_security_configuration end @@ -827,6 +838,8 @@ class ProjectPolicy < BasePolicy rule { can?(:admin_project_member) }.policy do enable :import_project_members_from_another_project + # ability to read, approve or reject member access requests of other users + enable :admin_member_access_request end rule { registry_enabled & can?(:admin_container_image) }.policy do @@ -837,6 +850,14 @@ class ProjectPolicy < BasePolicy enable :view_package_registry_project_settings end + rule { can?(:read_project) }.policy do + enable :read_incident_management_timeline_event_tag + end + + rule { can?(:download_code) }.policy do + enable :read_code + end + private def user_is_user? diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index f62ccef826c..4f3dafbf5c8 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -36,6 +36,7 @@ class UserPolicy < BasePolicy rule { (private_profile | blocked_user | unconfirmed_user) & ~(user_is_self | admin) }.prevent :read_user_profile rule { user_is_self | admin }.enable :disable_two_factor rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token + rule { (user_is_self | admin) & ~blocked }.enable :get_user_associations_count end UserPolicy.prepend_mod_with('UserPolicy') |