diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/group_policy.rb | 18 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 26 |
2 files changed, 35 insertions, 9 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index a47f801bd72..01932a6780c 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -61,7 +61,8 @@ class GroupPolicy < BasePolicy end with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } @@ -213,8 +214,13 @@ class GroupPolicy < BasePolicy rule { developer & dependency_proxy_available } .enable :admin_dependency_proxy - rule { resource_access_token_available & can?(:admin_group) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_group) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens + end + + rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do + enable :create_resource_access_tokens end rule { support_bot & has_project_with_service_desk_enabled }.policy do @@ -242,9 +248,13 @@ class GroupPolicy < BasePolicy @subject end - def resource_access_token_available? + def resource_access_token_feature_available? true end + + def resource_access_token_creation_allowed? + group.resource_access_token_creation_allowed? + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f978c6111f6..4bd87c60499 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid @@ -632,11 +633,18 @@ class ProjectPolicy < BasePolicy rule { project_bot }.enable :project_bot_access - rule { resource_access_token_available & can?(:admin_project) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_project) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens end - rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do + enable :create_resource_access_tokens + end + + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables @@ -720,10 +728,18 @@ class ProjectPolicy < BasePolicy end end - def resource_access_token_available? + def resource_access_token_feature_available? true end + def resource_access_token_creation_allowed? + group = project.group + + return true unless group # always enable for projects in personal namespaces + + group.resource_access_token_creation_allowed + end + def project @subject end |