summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-06-18 11:18:50 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-06-18 11:18:50 +0000
commit8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 (patch)
treea77e7fe7a93de11213032ed4ab1f33a3db51b738 /app/policies
parent00b35af3db1abfe813a778f643dad221aad51fca (diff)
downloadgitlab-ce-8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781.tar.gz
Add latest changes from gitlab-org/gitlab@13-1-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/ci/build_policy.rb22
-rw-r--r--app/policies/container_expiration_policy_policy.rb5
-rw-r--r--app/policies/draft_note_policy.rb13
-rw-r--r--app/policies/project_policy.rb35
-rw-r--r--app/policies/releases/link_policy.rb7
-rw-r--r--app/policies/releases/source_policy.rb13
6 files changed, 77 insertions, 18 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 12892a69257..0879a740f8a 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -36,6 +36,10 @@ module Ci
@subject.has_terminal?
end
+ condition(:is_web_ide_terminal, scope: :subject) do
+ @subject.pipeline.webide?
+ end
+
rule { protected_ref | archived }.policy do
prevent :update_build
prevent :update_commit_status
@@ -50,6 +54,24 @@ module Ci
end
rule { can?(:update_build) & terminal }.enable :create_build_terminal
+
+ rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
+ enable :read_web_ide_terminal
+ enable :update_web_ide_terminal
+ end
+
+ rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do
+ prevent :create_build_terminal
+ end
+
+ rule { can?(:update_web_ide_terminal) & terminal }.policy do
+ enable :create_build_terminal
+ enable :create_build_service_proxy
+ end
+
+ rule { ~can?(:build_service_proxy_enabled) }.policy do
+ prevent :create_build_service_proxy
+ end
end
end
diff --git a/app/policies/container_expiration_policy_policy.rb b/app/policies/container_expiration_policy_policy.rb
new file mode 100644
index 00000000000..709435f47d3
--- /dev/null
+++ b/app/policies/container_expiration_policy_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ContainerExpirationPolicyPolicy < BasePolicy
+ delegate { @subject.project }
+end
diff --git a/app/policies/draft_note_policy.rb b/app/policies/draft_note_policy.rb
new file mode 100644
index 00000000000..be99d12c5f8
--- /dev/null
+++ b/app/policies/draft_note_policy.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class DraftNotePolicy < BasePolicy
+ delegate { @subject.merge_request }
+
+ condition(:is_author) { @user && @subject.author == @user }
+
+ rule { is_author }.policy do
+ enable :read_note
+ enable :admin_note
+ enable :resolve_note
+ end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 8df4fc5e88c..f87c72007ec 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -147,6 +147,10 @@ class ProjectPolicy < BasePolicy
@user && @user.confirmed?
end
+ condition(:build_service_proxy_enabled) do
+ ::Feature.enabled?(:build_service_proxy, @subject)
+ end
+
features = %w[
merge_requests
issues
@@ -278,7 +282,6 @@ class ProjectPolicy < BasePolicy
rule { can?(:metrics_dashboard) }.policy do
enable :read_prometheus
- enable :read_environment
enable :read_deployment
end
@@ -429,27 +432,11 @@ class ProjectPolicy < BasePolicy
rule { builds_disabled | repository_disabled }.policy do
prevent(*create_read_update_admin_destroy(:build))
prevent(*create_read_update_admin_destroy(:pipeline_schedule))
+ prevent(*create_read_update_admin_destroy(:environment))
prevent(*create_read_update_admin_destroy(:cluster))
prevent(*create_read_update_admin_destroy(:deployment))
end
- # Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is
- # necessary due to the route for metrics dashboard requiring an environment id.
- # This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when
- # environments and metrics are decoupled and these rules will be removed.
-
- rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do
- prevent(*create_read_update_admin_destroy(:environment))
- end
-
- rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do
- prevent :create_environment
- prevent :update_environment
- prevent :admin_environment
- prevent :destroy_environment
- enable :read_environment
- end
-
# There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
# - We do not prevent the user from accessing Pipelines to allow them to access external CI
@@ -577,6 +564,18 @@ class ProjectPolicy < BasePolicy
enable :read_project
end
+ rule { can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
+
+ rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
+
+ rule { can?(:download_code) }.policy do
+ enable :read_repository_graphs
+ end
+
+ rule { can?(:read_build) & can?(:read_pipeline) }.policy do
+ enable :read_build_report_results
+ end
+
private
def team_member?
diff --git a/app/policies/releases/link_policy.rb b/app/policies/releases/link_policy.rb
new file mode 100644
index 00000000000..4a662fafb2f
--- /dev/null
+++ b/app/policies/releases/link_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Releases
+ class LinkPolicy < BasePolicy
+ delegate { @subject.release.project }
+ end
+end
diff --git a/app/policies/releases/source_policy.rb b/app/policies/releases/source_policy.rb
new file mode 100644
index 00000000000..8b86b925589
--- /dev/null
+++ b/app/policies/releases/source_policy.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Releases
+ class SourcePolicy < BasePolicy
+ delegate { @subject.project }
+
+ rule { can?(:public_access) | can?(:reporter_access) }.policy do
+ enable :read_release_sources
+ end
+
+ rule { ~can?(:read_release) }.prevent :read_release_sources
+ end
+end