gitlab-org--gitlab-foss/app/policies/issue_policy.rb

# frozen_string_literal: true

class IssuePolicy < IssuablePolicy
  # This class duplicates the same check of Issue#readable_by? for performance reasons
  # Make sure to sync this class checks with issue.rb to avoid security problems.
  # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.

  include CrudPolicyHelpers

  desc "User can read confidential issues"
  condition(:can_read_confidential) do
    @user && IssueCollection.new([@subject]).visible_to(@user).any?
  end

  desc "User can read contacts belonging to the issue group"
  condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.group) }

  desc "Issue is confidential"
  condition(:confidential, scope: :subject) { @subject.confidential? }

  desc "Issue is hidden"
  condition(:hidden, scope: :subject) { @subject.hidden? }

  desc "Issue is persisted"
  condition(:persisted, scope: :subject) { @subject.persisted? }

  rule { confidential & ~can_read_confidential }.policy do
    prevent(*create_read_update_admin_destroy(:issue))
    prevent :read_issue_iid
  end

  rule { hidden & ~admin }.policy do
    prevent :read_issue
  end

  rule { ~can?(:read_issue) }.prevent :create_note

  rule { locked }.policy do
    prevent :reopen_issue
  end

  rule { ~can?(:read_issue) }.policy do
    prevent :read_design
    prevent :create_design
    prevent :destroy_design
  end

  rule { ~can?(:read_design) }.policy do
    prevent :move_design
  end

  rule { ~anonymous & can?(:read_issue) }.policy do
    enable :create_todo
    enable :update_subscription
  end

  # admin can set metadata on new issues
  rule { ~persisted & admin }.policy do
    enable :set_issue_metadata
  end

  # support bot needs to be able to set metadata on new issues when service desk is enabled
  rule { ~persisted & support_bot & can?(:guest_access) }.policy do
    enable :set_issue_metadata
  end

  # guest members need to be able to set issue metadata per https://gitlab.com/gitlab-org/gitlab/-/issues/300100
  rule { ~persisted & is_project_member & can?(:guest_access) }.policy do
    enable :set_issue_metadata
  end

  rule { persisted & can?(:admin_issue) }.policy do
    enable :set_issue_metadata
  end

  rule { can?(:set_issue_metadata) }.policy do
    enable :set_confidentiality
  end

  rule { ~persisted & can?(:create_issue) }.policy do
    enable :set_confidentiality
  end

  rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do
    enable :set_issue_crm_contacts
  end
end

IssuePolicy.prepend_mod_with('IssuePolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

port issues to Issu{able,e}Policy 2016-08-16 14:10:34 -04:00			`class IssuePolicy < IssuablePolicy`
Merge branch 'issue_23548_dev' into 'master' disable markdown in comments when referencing disabled features fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23548 This MR prevents the following references when tool is disabled: - issues - snippets - commits - when repo is disabled - commit range - when repo is disabled - milestones This MR does not prevent references to repository files, since they are just markdown links and don't leak information. See merge request !2011 Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-11-01 16:18:51 -04:00			`# This class duplicates the same check of Issue#readable_by? for performance reasons`
			`# Make sure to sync this class checks with issue.rb to avoid security problems.`
			`# Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.`

Add latest changes from gitlab-org/gitlab@master 2020-04-13 11:09:20 -04:00			`include CrudPolicyHelpers`
Prevent unauthorised comments on merge requests * Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry 2019-06-04 23:30:54 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "User can read confidential issues"`
			`condition(:can_read_confidential) do`
			`@user && IssueCollection.new([@subject]).visible_to(@user).any?`
port issues to Issu{able,e}Policy 2016-08-16 14:10:34 -04:00			`end`

Add latest changes from gitlab-org/gitlab@master 2021-11-08 07:12:07 -05:00			`desc "User can read contacts belonging to the issue group"`
			`condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.group) }`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "Issue is confidential"`
			`condition(:confidential, scope: :subject) { @subject.confidential? }`
port issues to Issu{able,e}Policy 2016-08-16 14:10:34 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-08-12 14:10:45 -04:00			`desc "Issue is hidden"`
			`condition(:hidden, scope: :subject) { @subject.hidden? }`

Add latest changes from gitlab-org/gitlab@master 2021-06-11 14:10:13 -04:00			`desc "Issue is persisted"`
			`condition(:persisted, scope: :subject) { @subject.persisted? }`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { confidential & ~can_read_confidential }.policy do`
Prevent unauthorised comments on merge requests * Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry 2019-06-04 23:30:54 -04:00			`prevent(*create_read_update_admin_destroy(:issue))`
Port `read_cross_project` ability from EE 2017-12-11 09:21:06 -05:00			`prevent :read_issue_iid`
port issues to Issu{able,e}Policy 2016-08-16 14:10:34 -04:00			`end`
Restrict reopening locked issues for issue authors 2018-08-19 15:43:41 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-08-12 14:10:45 -04:00			`rule { hidden & ~admin }.policy do`
			`prevent :read_issue`
			`end`

Prevent unauthorised comments on merge requests * Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry 2019-06-04 23:30:54 -04:00			`rule { ~can?(:read_issue) }.prevent :create_note`

Restrict reopening locked issues for issue authors 2018-08-19 15:43:41 -04:00			`rule { locked }.policy do`
			`prevent :reopen_issue`
			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 09:26:31 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-05-04 08:09:46 -04:00			`rule { ~can?(:read_issue) }.policy do`
			`prevent :read_design`
			`prevent :create_design`
			`prevent :destroy_design`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-07-27 20:10:23 -04:00			`rule { ~can?(:read_design) }.policy do`
			`prevent :move_design`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00
			`rule { ~anonymous & can?(:read_issue) }.policy do`
			`enable :create_todo`
Add latest changes from gitlab-org/gitlab@master 2021-05-21 08:10:27 -04:00			`enable :update_subscription`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2021-06-11 14:10:13 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-08-03 17:09:39 -04:00			`# admin can set metadata on new issues`
			`rule { ~persisted & admin }.policy do`
			`enable :set_issue_metadata`
			`end`

			`# support bot needs to be able to set metadata on new issues when service desk is enabled`
			`rule { ~persisted & support_bot & can?(:guest_access) }.policy do`
			`enable :set_issue_metadata`
			`end`

			`# guest members need to be able to set issue metadata per https://gitlab.com/gitlab-org/gitlab/-/issues/300100`
			`rule { ~persisted & is_project_member & can?(:guest_access) }.policy do`
Add latest changes from gitlab-org/gitlab@master 2021-06-11 14:10:13 -04:00			`enable :set_issue_metadata`
			`end`

			`rule { persisted & can?(:admin_issue) }.policy do`
			`enable :set_issue_metadata`
			`end`
Add latest changes from gitlab-org/gitlab@master 2021-08-25 05:10:52 -04:00
			`rule { can?(:set_issue_metadata) }.policy do`
			`enable :set_confidentiality`
			`end`

			`rule { ~persisted & can?(:create_issue) }.policy do`
			`enable :set_confidentiality`
			`end`
Add latest changes from gitlab-org/gitlab@master 2021-11-08 07:12:07 -05:00
			`rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do`
			`enable :set_issue_crm_contacts`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-05-04 08:09:46 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-07-23 14:10:06 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-05-11 17:10:21 -04:00			`IssuePolicy.prepend_mod_with('IssuePolicy')`