From ee664acb356f8123f4f6b00b73c1e1cf0866c7fb Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 20 Oct 2022 09:40:42 +0000
Subject: Add latest changes from gitlab-org/gitlab@15-5-stable-ee

---
 app/policies/group_policy.rb | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

(limited to 'app/policies/group_policy.rb')

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 96da0518dc0..7a0fb10928a 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -35,15 +35,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_options scope: :subject, score: 0
   condition(:request_access_enabled) { @subject.request_access_enabled }
 
-  condition(:create_projects_disabled) do
+  condition(:create_projects_disabled, scope: :subject) do
     @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
   end
 
-  condition(:developer_maintainer_access) do
+  condition(:developer_maintainer_access, scope: :subject) do
     @subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
   end
 
-  condition(:maintainer_can_create_group) do
+  condition(:maintainer_can_create_group, scope: :subject) do
     @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
   end
 
@@ -51,7 +51,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
   end
 
-  condition(:dependency_proxy_available) do
+  condition(:dependency_proxy_available, scope: :subject) do
     @subject.dependency_proxy_feature_available?
   end
 
@@ -59,7 +59,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
   end
 
-  condition(:observability_enabled) do
+  condition(:observability_enabled, scope: :subject) do
     Feature.enabled?(:observability_group_tab, @subject)
   end
 
@@ -80,10 +80,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
 
+  with_scope :subject
   condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
-  condition(:group_runner_registration_allowed) do
-    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  condition(:group_runner_registration_allowed, scope: :global) do
+    Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
   end
 
   rule { can?(:read_group) & design_management_enabled }.policy do
@@ -149,6 +150,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :admin_crm_organization
     enable :admin_crm_contact
     enable :read_cluster
+
+    enable :read_group_all_available_runners
   end
 
   rule { reporter }.policy do
@@ -204,6 +207,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :destroy_deploy_token
     enable :update_runners_registration_token
     enable :owner_access
+
+    enable :read_billing
+    enable :edit_billing
   end
 
   rule { can?(:read_nested_project_resources) }.policy do
-- 
cgit v1.2.1