2018-07-24 06:00:56 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-11 18:12:52 -04:00
|
|
|
class ProjectPolicy < BasePolicy
|
2020-04-13 11:09:20 -04:00
|
|
|
include CrudPolicyHelpers
|
2020-07-29 02:09:49 -04:00
|
|
|
include ReadonlyAbilities
|
2018-04-02 14:38:47 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "Project has public builds enabled"
|
2018-04-02 14:38:47 -04:00
|
|
|
condition(:public_builds, scope: :subject, score: 0) { project.public_builds? }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2017-08-24 13:06:04 -04:00
|
|
|
# For guest access we use #team_member? so we can use
|
2017-04-06 17:06:42 -04:00
|
|
|
# project.members, which gets cached in subject scope.
|
|
|
|
# This is safe because team_access_level is guaranteed
|
|
|
|
# by ProjectAuthorization's validation to be at minimum
|
|
|
|
# GUEST
|
|
|
|
desc "User has guest access"
|
2017-08-24 13:06:04 -04:00
|
|
|
condition(:guest) { team_member? }
|
2016-08-30 14:10:33 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "User has reporter access"
|
|
|
|
condition(:reporter) { team_access_level >= Gitlab::Access::REPORTER }
|
2016-08-30 14:10:33 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "User has developer access"
|
|
|
|
condition(:developer) { team_access_level >= Gitlab::Access::DEVELOPER }
|
|
|
|
|
2018-06-03 22:58:15 -04:00
|
|
|
desc "User has maintainer access"
|
2018-07-11 10:36:08 -04:00
|
|
|
condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2022-05-19 08:08:42 -04:00
|
|
|
desc "User has owner access"
|
|
|
|
condition :owner do
|
|
|
|
owner_of_personal_namespace = project.owner.present? && project.owner == @user
|
|
|
|
|
|
|
|
unless owner_of_personal_namespace
|
2022-06-15 17:10:04 -04:00
|
|
|
group_or_project_owner = team_access_level >= Gitlab::Access::OWNER
|
2022-05-19 08:08:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
owner_of_personal_namespace || group_or_project_owner
|
|
|
|
end
|
|
|
|
|
2021-01-29 16:09:34 -05:00
|
|
|
desc "User is a project bot"
|
|
|
|
condition(:project_bot) { user.project_bot? && team_member? }
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "Project is public"
|
2018-04-02 14:38:47 -04:00
|
|
|
condition(:public_project, scope: :subject, score: 0) { project.public? }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
|
|
|
desc "Project is visible to internal users"
|
|
|
|
condition(:internal_access) do
|
|
|
|
project.internal? && !user.external?
|
2016-08-30 14:10:33 -04:00
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "User is a member of the group"
|
|
|
|
condition(:group_member, scope: :subject) { project_group_member? }
|
|
|
|
|
|
|
|
desc "Project is archived"
|
2018-04-02 14:38:47 -04:00
|
|
|
condition(:archived, scope: :subject, score: 0) { project.archived? }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2021-11-11 13:14:04 -05:00
|
|
|
desc "Project is in the process of being deleted"
|
|
|
|
condition(:pending_delete) { project.pending_delete? }
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? }
|
|
|
|
|
|
|
|
desc "Container registry is disabled"
|
|
|
|
condition(:container_registry_disabled, scope: :subject) do
|
2022-06-27 14:09:39 -04:00
|
|
|
if user.is_a?(DeployToken)
|
|
|
|
(!user.read_registry? && !user.write_registry?) ||
|
|
|
|
user.revoked? ||
|
|
|
|
!project.container_registry_enabled?
|
|
|
|
else
|
|
|
|
!access_allowed_to?(:container_registry)
|
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
end
|
|
|
|
|
2021-07-19 08:10:08 -04:00
|
|
|
desc "Container registry is enabled for everyone with access to the project"
|
|
|
|
condition(:container_registry_enabled_for_everyone_with_access, scope: :subject) do
|
|
|
|
project.container_registry_access_level == ProjectFeature::ENABLED
|
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
desc "Project has an external wiki"
|
2018-04-02 14:38:47 -04:00
|
|
|
condition(:has_external_wiki, scope: :subject, score: 0) { project.has_external_wiki? }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
|
|
|
desc "Project has request access enabled"
|
2018-04-02 14:38:47 -04:00
|
|
|
condition(:request_access_enabled, scope: :subject, score: 0) { project.request_access_enabled }
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2018-03-06 17:30:47 -05:00
|
|
|
desc "Has merge requests allowing pushes to user"
|
2018-05-15 04:18:22 -04:00
|
|
|
condition(:has_merge_requests_allowing_pushes) do
|
2018-03-06 17:30:47 -05:00
|
|
|
project.merge_requests_allowing_push_to_user(user).any?
|
2018-02-26 07:32:42 -05:00
|
|
|
end
|
|
|
|
|
2021-07-02 20:06:54 -04:00
|
|
|
desc "Deploy key with read access"
|
|
|
|
condition(:download_code_deploy_key) do
|
|
|
|
user.is_a?(DeployKey) && user.has_access_to?(project)
|
|
|
|
end
|
|
|
|
|
|
|
|
desc "Deploy key with write access"
|
|
|
|
condition(:push_code_deploy_key) do
|
|
|
|
user.is_a?(DeployKey) && user.can_push_to?(project)
|
|
|
|
end
|
|
|
|
|
2022-06-27 14:09:39 -04:00
|
|
|
desc "Deploy token with read_container_image scope"
|
|
|
|
condition(:read_container_image_deploy_token) do
|
|
|
|
user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry?
|
|
|
|
end
|
|
|
|
|
|
|
|
desc "Deploy token with create_container_image scope"
|
|
|
|
condition(:create_container_image_deploy_token) do
|
|
|
|
user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry?
|
|
|
|
end
|
|
|
|
|
2020-05-13 05:08:37 -04:00
|
|
|
desc "Deploy token with read_package_registry scope"
|
|
|
|
condition(:read_package_registry_deploy_token) do
|
|
|
|
user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
|
|
|
|
end
|
|
|
|
|
|
|
|
desc "Deploy token with write_package_registry scope"
|
|
|
|
condition(:write_package_registry_deploy_token) do
|
|
|
|
user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_package_registry
|
|
|
|
end
|
|
|
|
|
2021-12-06 22:12:22 -05:00
|
|
|
desc "Deploy token with read access"
|
|
|
|
condition(:download_code_deploy_token) do
|
|
|
|
user.is_a?(DeployToken) && user.has_access_to?(project)
|
|
|
|
end
|
|
|
|
|
2021-06-10 17:10:02 -04:00
|
|
|
desc "If user is authenticated via CI job token then the target project should be in scope"
|
|
|
|
condition(:project_allowed_for_job_token) do
|
|
|
|
!@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project)
|
|
|
|
end
|
|
|
|
|
2020-01-17 13:08:41 -05:00
|
|
|
with_scope :subject
|
|
|
|
condition(:forking_allowed) do
|
|
|
|
@subject.feature_available?(:forking, @user)
|
|
|
|
end
|
|
|
|
|
2020-04-30 05:09:39 -04:00
|
|
|
with_scope :subject
|
|
|
|
condition(:metrics_dashboard_allowed) do
|
2021-02-05 13:09:44 -05:00
|
|
|
access_allowed_to?(:metrics_dashboard)
|
2020-04-30 05:09:39 -04:00
|
|
|
end
|
|
|
|
|
2018-05-03 10:19:21 -04:00
|
|
|
with_scope :global
|
|
|
|
condition(:mirror_available, score: 0) do
|
|
|
|
::Gitlab::CurrentSettings.current_application_settings.mirror_available
|
|
|
|
end
|
|
|
|
|
2019-04-09 11:38:58 -04:00
|
|
|
with_scope :subject
|
|
|
|
condition(:classification_label_authorized, score: 32) do
|
|
|
|
::Gitlab::ExternalAuthorization.access_allowed?(
|
|
|
|
@user,
|
|
|
|
@subject.external_authorization_classification_label,
|
|
|
|
@subject.full_path
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
2020-05-04 08:09:46 -04:00
|
|
|
with_scope :subject
|
|
|
|
condition(:design_management_disabled) do
|
|
|
|
!@subject.design_management_enabled?
|
|
|
|
end
|
|
|
|
|
2020-06-22 11:09:27 -04:00
|
|
|
with_scope :subject
|
|
|
|
condition(:service_desk_enabled) { @subject.service_desk_enabled? }
|
|
|
|
|
2020-09-30 14:09:52 -04:00
|
|
|
with_scope :subject
|
2021-03-26 17:09:22 -04:00
|
|
|
condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
|
|
|
|
condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
|
2020-09-30 14:09:52 -04:00
|
|
|
|
2018-04-02 11:14:20 -04:00
|
|
|
# We aren't checking `:read_issue` or `:read_merge_request` in this case
|
|
|
|
# because it could be possible for a user to see an issuable-iid
|
|
|
|
# (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
|
|
|
|
# allowed to read the actual issue after a more expensive `:read_issue`
|
|
|
|
# check. These checks are intended to be used alongside
|
|
|
|
# `:read_project_for_iids`.
|
|
|
|
#
|
|
|
|
# `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee.
|
|
|
|
condition(:issues_visible_to_user, score: 4) do
|
|
|
|
@subject.feature_available?(:issues, @user)
|
|
|
|
end
|
|
|
|
|
|
|
|
condition(:merge_requests_visible_to_user, score: 4) do
|
|
|
|
@subject.feature_available?(:merge_requests, @user)
|
|
|
|
end
|
|
|
|
|
2019-01-28 07:12:30 -05:00
|
|
|
condition(:internal_builds_disabled) do
|
|
|
|
!@subject.builds_enabled?
|
|
|
|
end
|
|
|
|
|
2019-11-07 19:05:58 -05:00
|
|
|
condition(:user_confirmed?) do
|
|
|
|
@user && @user.confirmed?
|
|
|
|
end
|
|
|
|
|
2020-05-25 11:07:58 -04:00
|
|
|
condition(:build_service_proxy_enabled) do
|
|
|
|
::Feature.enabled?(:build_service_proxy, @subject)
|
|
|
|
end
|
|
|
|
|
2021-01-14 07:10:54 -05:00
|
|
|
condition(:user_defined_variables_allowed) do
|
|
|
|
!@subject.restrict_user_defined_variables?
|
|
|
|
end
|
|
|
|
|
2020-07-13 02:09:23 -04:00
|
|
|
with_scope :subject
|
|
|
|
condition(:packages_disabled) { !@subject.packages_enabled }
|
|
|
|
|
2022-06-27 11:09:33 -04:00
|
|
|
condition(:work_items_enabled, scope: :subject) { project&.work_items_feature_flag_enabled? }
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
features = %w[
|
|
|
|
merge_requests
|
|
|
|
issues
|
|
|
|
repository
|
|
|
|
snippets
|
|
|
|
wiki
|
|
|
|
builds
|
2018-10-05 09:41:11 -04:00
|
|
|
pages
|
2020-04-30 05:09:39 -04:00
|
|
|
metrics_dashboard
|
2020-12-16 16:09:57 -05:00
|
|
|
analytics
|
2020-11-27 07:09:14 -05:00
|
|
|
operations
|
2021-02-18 13:10:41 -05:00
|
|
|
security_and_compliance
|
2017-04-06 17:06:42 -04:00
|
|
|
]
|
|
|
|
|
|
|
|
features.each do |f|
|
|
|
|
# these are scored high because they are unlikely
|
|
|
|
desc "Project has #{f} disabled"
|
2021-02-05 13:09:44 -05:00
|
|
|
condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) }
|
2016-08-11 18:12:52 -04:00
|
|
|
end
|
|
|
|
|
2022-03-08 07:20:17 -05:00
|
|
|
condition(:project_runner_registration_allowed) do
|
2022-05-06 11:09:03 -04:00
|
|
|
Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
|
2022-03-08 07:20:17 -05:00
|
|
|
end
|
|
|
|
|
2022-06-17 02:08:15 -04:00
|
|
|
condition :registry_enabled do
|
|
|
|
Gitlab.config.registry.enabled
|
|
|
|
end
|
|
|
|
|
2022-07-19 14:09:21 -04:00
|
|
|
condition :packages_enabled do
|
|
|
|
Gitlab.config.packages.enabled
|
|
|
|
end
|
|
|
|
|
2018-04-02 11:14:20 -04:00
|
|
|
# `:read_project` may be prevented in EE, but `:read_project_for_iids` should
|
|
|
|
# not.
|
|
|
|
rule { guest | admin }.enable :read_project_for_iids
|
|
|
|
|
2019-10-14 11:06:07 -04:00
|
|
|
rule { admin }.enable :update_max_artifacts_size
|
2021-05-18 17:10:16 -04:00
|
|
|
rule { admin }.enable :read_storage_disk_path
|
2020-06-29 08:09:20 -04:00
|
|
|
rule { can?(:read_all_resources) }.enable :read_confidential_issues
|
2019-10-14 11:06:07 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { guest }.enable :guest_access
|
|
|
|
rule { reporter }.enable :reporter_access
|
|
|
|
rule { developer }.enable :developer_access
|
2018-07-11 10:36:08 -04:00
|
|
|
rule { maintainer }.enable :maintainer_access
|
2017-12-11 09:21:06 -05:00
|
|
|
rule { owner | admin }.enable :owner_access
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2017-12-11 09:21:06 -05:00
|
|
|
rule { can?(:owner_access) }.policy do
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :guest_access
|
|
|
|
enable :reporter_access
|
|
|
|
enable :developer_access
|
2018-07-11 10:36:08 -04:00
|
|
|
enable :maintainer_access
|
2017-04-06 17:06:42 -04:00
|
|
|
|
|
|
|
enable :change_namespace
|
|
|
|
enable :change_visibility_level
|
|
|
|
enable :rename_project
|
|
|
|
enable :remove_project
|
|
|
|
enable :archive_project
|
|
|
|
enable :remove_fork_project
|
|
|
|
enable :destroy_merge_request
|
|
|
|
enable :destroy_issue
|
2018-08-22 08:10:54 -04:00
|
|
|
|
|
|
|
enable :set_issue_iid
|
|
|
|
enable :set_issue_created_at
|
2019-06-11 19:12:21 -04:00
|
|
|
enable :set_issue_updated_at
|
2018-08-22 08:10:54 -04:00
|
|
|
enable :set_note_created_at
|
2019-08-15 13:37:36 -04:00
|
|
|
enable :set_emails_disabled
|
2020-05-15 11:08:04 -04:00
|
|
|
enable :set_show_default_award_emojis
|
2021-10-28 14:14:18 -04:00
|
|
|
enable :set_warn_about_potentially_unwanted_characters
|
2022-03-08 07:20:17 -05:00
|
|
|
|
|
|
|
enable :register_project_runners
|
2022-05-30 08:08:23 -04:00
|
|
|
enable :manage_owners
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { can?(:guest_access) }.policy do
|
|
|
|
enable :read_project
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :read_issue_board
|
|
|
|
enable :read_issue_board_list
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_wiki
|
|
|
|
enable :read_issue
|
|
|
|
enable :read_label
|
2022-01-31 01:12:59 -05:00
|
|
|
enable :read_planning_hierarchy
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_milestone
|
2020-01-23 07:08:38 -05:00
|
|
|
enable :read_snippet
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_project_member
|
|
|
|
enable :read_note
|
|
|
|
enable :create_project
|
|
|
|
enable :create_issue
|
|
|
|
enable :create_note
|
|
|
|
enable :upload_file
|
|
|
|
enable :read_cycle_analytics
|
2018-04-06 14:19:37 -04:00
|
|
|
enable :award_emoji
|
2018-10-05 09:41:11 -04:00
|
|
|
enable :read_pages_content
|
2019-05-03 09:29:20 -04:00
|
|
|
enable :read_release
|
2020-12-16 16:09:57 -05:00
|
|
|
enable :read_analytics
|
2021-02-11 10:09:11 -05:00
|
|
|
enable :read_insights
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
|
2021-11-09 16:10:00 -05:00
|
|
|
rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident
|
2021-05-14 08:10:58 -04:00
|
|
|
|
2022-06-27 11:09:33 -04:00
|
|
|
rule { can?(:create_issue) }.enable :create_work_item
|
|
|
|
|
|
|
|
rule { can?(:create_issue) & work_items_enabled }.enable :create_task
|
2021-12-24 13:13:33 -05:00
|
|
|
|
2017-12-11 09:21:06 -05:00
|
|
|
# These abilities are not allowed to admins that are not members of the project,
|
2018-04-03 17:34:56 -04:00
|
|
|
# that's why they are defined separately.
|
2017-12-11 09:21:06 -05:00
|
|
|
rule { guest & can?(:download_code) }.enable :build_download_code
|
2018-04-05 09:49:18 -04:00
|
|
|
rule { guest & can?(:read_container_image) }.enable :build_read_container_image
|
2017-12-11 09:21:06 -05:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { can?(:reporter_access) }.policy do
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :admin_issue_board
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :download_code
|
2019-03-22 19:44:35 -04:00
|
|
|
enable :read_statistics
|
2021-06-07 08:10:00 -04:00
|
|
|
enable :daily_statistics
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :download_wiki_code
|
2020-01-23 07:08:38 -05:00
|
|
|
enable :create_snippet
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :update_issue
|
2018-08-19 15:43:41 -04:00
|
|
|
enable :reopen_issue
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :admin_issue
|
|
|
|
enable :admin_label
|
2022-04-29 14:08:18 -04:00
|
|
|
enable :admin_milestone
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :admin_issue_board_list
|
2020-08-19 14:10:34 -04:00
|
|
|
enable :admin_issue_link
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_commit_status
|
|
|
|
enable :read_build
|
|
|
|
enable :read_container_image
|
2022-07-13 20:08:59 -04:00
|
|
|
enable :read_harbor_registry
|
2021-01-05 13:10:25 -05:00
|
|
|
enable :read_deploy_board
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_pipeline
|
2020-04-30 08:09:45 -04:00
|
|
|
enable :read_pipeline_schedule
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_environment
|
|
|
|
enable :read_deployment
|
|
|
|
enable :read_merge_request
|
2019-01-09 16:04:27 -05:00
|
|
|
enable :read_sentry_issue
|
2019-04-02 02:26:09 -04:00
|
|
|
enable :read_prometheus
|
2020-04-07 14:09:19 -04:00
|
|
|
enable :read_metrics_dashboard_annotation
|
2020-04-30 05:09:39 -04:00
|
|
|
enable :metrics_dashboard
|
2020-06-29 08:09:20 -04:00
|
|
|
enable :read_confidential_issues
|
2020-07-10 11:09:07 -04:00
|
|
|
enable :read_package
|
2020-07-27 05:09:42 -04:00
|
|
|
enable :read_product_analytics
|
2021-08-03 17:09:39 -04:00
|
|
|
enable :read_ci_cd_analytics
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
|
2017-12-11 09:21:06 -05:00
|
|
|
# We define `:public_user_access` separately because there are cases in gitlab-ee
|
|
|
|
# where we enable or prevent it based on other coditions.
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { (~anonymous & public_project) | internal_access }.policy do
|
|
|
|
enable :public_user_access
|
2018-04-02 11:14:20 -04:00
|
|
|
enable :read_project_for_iids
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { can?(:public_user_access) }.policy do
|
2017-12-11 09:21:06 -05:00
|
|
|
enable :public_access
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :guest_access
|
2017-12-11 09:21:06 -05:00
|
|
|
|
|
|
|
enable :build_download_code
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :request_access
|
|
|
|
end
|
2016-09-16 15:15:39 -04:00
|
|
|
|
2021-07-19 08:10:08 -04:00
|
|
|
rule { container_registry_enabled_for_everyone_with_access & can?(:public_user_access) }.policy do
|
|
|
|
enable :build_read_container_image
|
|
|
|
end
|
|
|
|
|
2020-01-20 10:09:18 -05:00
|
|
|
rule { (can?(:public_user_access) | can?(:reporter_access)) & forking_allowed }.policy do
|
2020-01-17 13:08:41 -05:00
|
|
|
enable :fork_project
|
|
|
|
end
|
|
|
|
|
2020-04-30 05:09:39 -04:00
|
|
|
rule { metrics_dashboard_disabled }.policy do
|
|
|
|
prevent(:metrics_dashboard)
|
|
|
|
end
|
|
|
|
|
2020-11-27 07:09:14 -05:00
|
|
|
rule { operations_disabled }.policy do
|
|
|
|
prevent(*create_read_update_admin_destroy(:feature_flag))
|
|
|
|
prevent(*create_read_update_admin_destroy(:environment))
|
|
|
|
prevent(*create_read_update_admin_destroy(:sentry_issue))
|
|
|
|
prevent(*create_read_update_admin_destroy(:alert_management_alert))
|
|
|
|
prevent(*create_read_update_admin_destroy(:cluster))
|
|
|
|
prevent(*create_read_update_admin_destroy(:terraform_state))
|
|
|
|
prevent(*create_read_update_admin_destroy(:deployment))
|
|
|
|
prevent(:metrics_dashboard)
|
|
|
|
prevent(:read_pod_logs)
|
|
|
|
prevent(:read_prometheus)
|
|
|
|
end
|
|
|
|
|
2020-04-30 05:09:39 -04:00
|
|
|
rule { can?(:metrics_dashboard) }.policy do
|
|
|
|
enable :read_prometheus
|
|
|
|
enable :read_deployment
|
2020-05-15 17:08:21 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
rule { ~anonymous & can?(:metrics_dashboard) }.policy do
|
2020-05-11 14:09:55 -04:00
|
|
|
enable :create_metrics_user_starred_dashboard
|
|
|
|
enable :read_metrics_user_starred_dashboard
|
2020-04-30 05:09:39 -04:00
|
|
|
end
|
|
|
|
|
2021-08-10 05:10:08 -04:00
|
|
|
rule { packages_disabled }.policy do
|
2020-07-13 02:09:23 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:package))
|
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { owner | admin | guest | group_member }.prevent :request_access
|
|
|
|
rule { ~request_access_enabled }.prevent :request_access
|
|
|
|
|
2019-01-03 00:17:07 -05:00
|
|
|
rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
|
2018-12-31 03:39:43 -05:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { can?(:developer_access) }.policy do
|
2020-07-13 02:09:23 -04:00
|
|
|
enable :create_package
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :admin_issue_board
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :admin_merge_request
|
|
|
|
enable :update_merge_request
|
2019-03-08 03:34:20 -05:00
|
|
|
enable :reopen_merge_request
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :create_commit_status
|
|
|
|
enable :update_commit_status
|
|
|
|
enable :create_build
|
|
|
|
enable :update_build
|
2021-09-20 20:09:28 -04:00
|
|
|
enable :read_resource_group
|
|
|
|
enable :update_resource_group
|
2018-04-06 08:18:58 -04:00
|
|
|
enable :create_merge_request_from
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :create_wiki
|
|
|
|
enable :push_code
|
|
|
|
enable :resolve_note
|
|
|
|
enable :create_container_image
|
|
|
|
enable :update_container_image
|
2019-06-17 07:13:03 -04:00
|
|
|
enable :destroy_container_image
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :create_environment
|
2019-12-10 02:53:40 -05:00
|
|
|
enable :update_environment
|
2020-03-25 05:08:11 -04:00
|
|
|
enable :destroy_environment
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :create_deployment
|
2019-10-16 14:08:01 -04:00
|
|
|
enable :update_deployment
|
2022-01-27 19:14:06 -05:00
|
|
|
enable :read_cluster
|
2018-12-13 06:08:53 -05:00
|
|
|
enable :create_release
|
|
|
|
enable :update_release
|
2021-07-27 17:09:42 -04:00
|
|
|
enable :destroy_release
|
2020-04-07 14:09:19 -04:00
|
|
|
enable :create_metrics_dashboard_annotation
|
|
|
|
enable :delete_metrics_dashboard_annotation
|
|
|
|
enable :update_metrics_dashboard_annotation
|
2020-05-07 17:09:26 -04:00
|
|
|
enable :read_alert_management_alert
|
|
|
|
enable :update_alert_management_alert
|
2020-05-04 08:09:46 -04:00
|
|
|
enable :create_design
|
2020-07-27 20:10:23 -04:00
|
|
|
enable :move_design
|
2020-05-04 08:09:46 -04:00
|
|
|
enable :destroy_design
|
2020-07-14 02:09:17 -04:00
|
|
|
enable :read_terraform_state
|
2020-08-04 11:09:27 -04:00
|
|
|
enable :read_pod_logs
|
2020-09-17 02:09:32 -04:00
|
|
|
enable :read_feature_flag
|
|
|
|
enable :create_feature_flag
|
|
|
|
enable :update_feature_flag
|
|
|
|
enable :destroy_feature_flag
|
|
|
|
enable :admin_feature_flag
|
|
|
|
enable :admin_feature_flags_user_lists
|
2021-12-20 13:13:27 -05:00
|
|
|
enable :update_escalation_status
|
2022-03-15 05:07:33 -04:00
|
|
|
enable :read_secure_files
|
2022-06-30 17:09:49 -04:00
|
|
|
enable :update_sentry_issue
|
2016-08-11 18:12:52 -04:00
|
|
|
end
|
|
|
|
|
2019-11-07 19:05:58 -05:00
|
|
|
rule { can?(:developer_access) & user_confirmed? }.policy do
|
|
|
|
enable :create_pipeline
|
|
|
|
enable :update_pipeline
|
|
|
|
enable :create_pipeline_schedule
|
|
|
|
end
|
|
|
|
|
2018-07-11 10:36:08 -04:00
|
|
|
rule { can?(:maintainer_access) }.policy do
|
2020-07-13 02:09:23 -04:00
|
|
|
enable :destroy_package
|
2022-06-07 11:08:12 -04:00
|
|
|
enable :admin_package
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :admin_issue_board
|
2018-04-02 12:30:49 -04:00
|
|
|
enable :push_to_delete_protected_branch
|
2020-01-23 07:08:38 -05:00
|
|
|
enable :update_snippet
|
|
|
|
enable :admin_snippet
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :admin_project_member
|
|
|
|
enable :admin_note
|
|
|
|
enable :admin_wiki
|
|
|
|
enable :admin_project
|
|
|
|
enable :admin_commit_status
|
|
|
|
enable :admin_build
|
|
|
|
enable :admin_container_image
|
|
|
|
enable :admin_pipeline
|
|
|
|
enable :admin_environment
|
|
|
|
enable :admin_deployment
|
|
|
|
enable :admin_pages
|
|
|
|
enable :read_pages
|
|
|
|
enable :update_pages
|
2019-02-25 06:43:19 -05:00
|
|
|
enable :remove_pages
|
2018-12-04 16:38:15 -05:00
|
|
|
enable :add_cluster
|
2017-10-05 11:05:09 -04:00
|
|
|
enable :create_cluster
|
2018-10-14 20:42:02 -04:00
|
|
|
enable :update_cluster
|
|
|
|
enable :admin_cluster
|
2018-08-10 09:45:14 -04:00
|
|
|
enable :create_environment_terminal
|
2018-12-25 04:48:26 -05:00
|
|
|
enable :destroy_release
|
2019-03-06 06:06:21 -05:00
|
|
|
enable :destroy_artifacts
|
2019-09-05 17:17:36 -04:00
|
|
|
enable :admin_operations
|
2020-02-28 07:09:05 -05:00
|
|
|
enable :read_deploy_token
|
2020-03-10 05:08:10 -04:00
|
|
|
enable :create_deploy_token
|
2020-03-12 08:09:17 -04:00
|
|
|
enable :destroy_deploy_token
|
2020-03-25 05:08:11 -04:00
|
|
|
enable :read_prometheus_alerts
|
2020-04-01 08:08:00 -04:00
|
|
|
enable :admin_terraform_state
|
2020-05-15 08:08:28 -04:00
|
|
|
enable :create_freeze_period
|
|
|
|
enable :read_freeze_period
|
|
|
|
enable :update_freeze_period
|
|
|
|
enable :destroy_freeze_period
|
2020-09-17 02:09:32 -04:00
|
|
|
enable :admin_feature_flags_client
|
2022-03-08 07:20:17 -05:00
|
|
|
enable :register_project_runners
|
2021-06-14 11:09:48 -04:00
|
|
|
enable :update_runners_registration_token
|
2021-11-05 11:11:48 -04:00
|
|
|
enable :admin_project_google_cloud
|
2022-03-15 05:07:33 -04:00
|
|
|
enable :admin_secure_files
|
2022-07-19 11:09:10 -04:00
|
|
|
enable :read_web_hooks
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
2016-08-12 14:36:16 -04:00
|
|
|
|
2020-04-30 05:09:39 -04:00
|
|
|
rule { public_project & metrics_dashboard_allowed }.policy do
|
|
|
|
enable :metrics_dashboard
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { internal_access & metrics_dashboard_allowed }.policy do
|
|
|
|
enable :metrics_dashboard
|
|
|
|
end
|
|
|
|
|
2018-05-03 10:19:21 -04:00
|
|
|
rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror
|
2019-06-19 03:08:56 -04:00
|
|
|
rule { can?(:push_code) }.enable :admin_tag
|
2018-05-03 10:19:21 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { archived }.policy do
|
2020-07-29 02:09:49 -04:00
|
|
|
prevent(*readonly_abilities)
|
2018-04-02 14:38:47 -04:00
|
|
|
|
2020-07-29 02:09:49 -04:00
|
|
|
readonly_features.each do |feature|
|
2021-11-11 13:14:04 -05:00
|
|
|
prevent(*create_update_admin(feature))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { archived & ~pending_delete }.policy do
|
|
|
|
readonly_features.each do |feature|
|
|
|
|
prevent(:"destroy_#{feature}")
|
2018-04-02 14:38:47 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { issues_disabled }.policy do
|
|
|
|
prevent(*create_read_update_admin_destroy(:issue))
|
2021-03-02 19:10:50 -05:00
|
|
|
prevent(*create_read_update_admin_destroy(:issue_board))
|
|
|
|
prevent(*create_read_update_admin_destroy(:issue_board_list))
|
2016-08-12 14:36:16 -04:00
|
|
|
end
|
|
|
|
|
2022-03-31 17:08:16 -04:00
|
|
|
rule { merge_requests_disabled | repository_disabled | ~can?(:download_code) }.policy do
|
2018-04-06 08:18:58 -04:00
|
|
|
prevent :create_merge_request_in
|
|
|
|
prevent :create_merge_request_from
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:merge_request))
|
2016-12-21 13:36:24 -05:00
|
|
|
end
|
|
|
|
|
2018-10-05 09:41:11 -04:00
|
|
|
rule { pages_disabled }.prevent :read_pages_content
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { issues_disabled & merge_requests_disabled }.policy do
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:label))
|
|
|
|
prevent(*create_read_update_admin_destroy(:milestone))
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
rule { snippets_disabled }.policy do
|
2020-01-23 07:08:38 -05:00
|
|
|
prevent(*create_read_update_admin_destroy(:snippet))
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
2020-12-16 16:09:57 -05:00
|
|
|
rule { analytics_disabled }.policy do
|
|
|
|
prevent(:read_analytics)
|
2021-02-11 10:09:11 -05:00
|
|
|
prevent(:read_insights)
|
|
|
|
prevent(:read_cycle_analytics)
|
|
|
|
prevent(:read_repository_graphs)
|
2021-08-03 17:09:39 -04:00
|
|
|
prevent(:read_ci_cd_analytics)
|
2020-12-16 16:09:57 -05:00
|
|
|
end
|
|
|
|
|
2019-01-09 10:05:52 -05:00
|
|
|
rule { wiki_disabled }.policy do
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:wiki))
|
2017-04-06 17:06:42 -04:00
|
|
|
prevent(:download_wiki_code)
|
|
|
|
end
|
|
|
|
|
2021-12-06 22:12:22 -05:00
|
|
|
rule { download_code_deploy_token }.policy do
|
|
|
|
enable :download_wiki_code
|
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { builds_disabled | repository_disabled }.policy do
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:build))
|
|
|
|
prevent(*create_read_update_admin_destroy(:pipeline_schedule))
|
2020-05-21 14:08:27 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:environment))
|
2018-06-14 06:34:09 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:cluster))
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:deployment))
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
2019-01-28 07:12:30 -05:00
|
|
|
# There's two separate cases when builds_disabled is true:
|
|
|
|
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
|
2020-02-07 10:09:52 -05:00
|
|
|
# - We do not prevent the user from accessing Pipelines to allow them to access external CI
|
2019-01-28 07:12:30 -05:00
|
|
|
# 2. When the user is not allowed to access CI - builds_disabled && ~internal_builds_disabled
|
|
|
|
# - We prevent the user from accessing Pipelines
|
|
|
|
rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do
|
|
|
|
prevent(*create_read_update_admin_destroy(:pipeline))
|
|
|
|
prevent(*create_read_update_admin_destroy(:commit_status))
|
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { repository_disabled }.policy do
|
|
|
|
prevent :push_code
|
|
|
|
prevent :download_code
|
2020-06-03 14:08:28 -04:00
|
|
|
prevent :build_download_code
|
2017-04-06 17:06:42 -04:00
|
|
|
prevent :fork_project
|
|
|
|
prevent :read_commit_status
|
2019-01-28 07:12:30 -05:00
|
|
|
prevent :read_pipeline
|
2020-04-30 08:09:45 -04:00
|
|
|
prevent :read_pipeline_schedule
|
2018-12-13 06:08:53 -05:00
|
|
|
prevent(*create_read_update_admin_destroy(:release))
|
2020-09-17 02:09:32 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:feature_flag))
|
|
|
|
prevent(:admin_feature_flags_user_lists)
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
rule { container_registry_disabled }.policy do
|
2018-04-02 14:38:47 -04:00
|
|
|
prevent(*create_read_update_admin_destroy(:container_image))
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
rule { anonymous & ~public_project }.prevent_all
|
2018-04-02 11:14:20 -04:00
|
|
|
|
|
|
|
rule { public_project }.policy do
|
|
|
|
enable :public_access
|
|
|
|
enable :read_project_for_iids
|
|
|
|
end
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2021-07-29 17:10:10 -04:00
|
|
|
rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all
|
2021-06-10 17:10:02 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { can?(:public_access) }.policy do
|
2020-07-10 11:09:07 -04:00
|
|
|
enable :read_package
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_project
|
2021-03-02 19:10:50 -05:00
|
|
|
enable :read_issue_board
|
|
|
|
enable :read_issue_board_list
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_wiki
|
|
|
|
enable :read_label
|
2022-01-31 01:12:59 -05:00
|
|
|
enable :read_planning_hierarchy
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_milestone
|
2020-01-23 07:08:38 -05:00
|
|
|
enable :read_snippet
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_project_member
|
|
|
|
enable :read_merge_request
|
|
|
|
enable :read_note
|
|
|
|
enable :read_pipeline
|
2020-04-30 08:09:45 -04:00
|
|
|
enable :read_pipeline_schedule
|
2020-07-31 17:10:12 -04:00
|
|
|
enable :read_environment
|
|
|
|
enable :read_deployment
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :read_commit_status
|
|
|
|
enable :read_container_image
|
|
|
|
enable :download_code
|
2018-12-13 06:08:53 -05:00
|
|
|
enable :read_release
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :download_wiki_code
|
|
|
|
enable :read_cycle_analytics
|
2018-10-05 09:41:11 -04:00
|
|
|
enable :read_pages_content
|
2020-12-16 16:09:57 -05:00
|
|
|
enable :read_analytics
|
2021-02-11 10:09:11 -05:00
|
|
|
enable :read_insights
|
2017-04-06 17:06:42 -04:00
|
|
|
|
|
|
|
# NOTE: may be overridden by IssuePolicy
|
|
|
|
enable :read_issue
|
|
|
|
end
|
|
|
|
|
2022-03-31 17:08:16 -04:00
|
|
|
rule { can?(:public_access) & public_builds }.enable :read_ci_cd_analytics
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { public_builds }.policy do
|
|
|
|
enable :read_build
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { public_builds & can?(:guest_access) }.policy do
|
|
|
|
enable :read_pipeline
|
2020-04-30 08:09:45 -04:00
|
|
|
enable :read_pipeline_schedule
|
2017-04-06 17:06:42 -04:00
|
|
|
end
|
|
|
|
|
2018-02-26 07:32:42 -05:00
|
|
|
# These rules are included to allow maintainers of projects to push to certain
|
2018-03-06 17:30:47 -05:00
|
|
|
# to run pipelines for the branches they have access to.
|
2019-11-07 19:05:58 -05:00
|
|
|
rule { can?(:public_access) & has_merge_requests_allowing_pushes & user_confirmed? }.policy do
|
2018-02-26 07:32:42 -05:00
|
|
|
enable :create_build
|
|
|
|
enable :create_pipeline
|
|
|
|
end
|
|
|
|
|
2018-04-02 11:14:20 -04:00
|
|
|
rule do
|
|
|
|
(can?(:read_project_for_iids) & issues_visible_to_user) | can?(:read_issue)
|
|
|
|
end.enable :read_issue_iid
|
|
|
|
|
|
|
|
rule do
|
2019-01-09 14:24:05 -05:00
|
|
|
(~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
|
2018-04-02 11:14:20 -04:00
|
|
|
end.enable :read_merge_request_iid
|
|
|
|
|
2019-04-09 11:38:58 -04:00
|
|
|
rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do
|
|
|
|
# Preventing access here still allows the projects to be listed. Listing
|
|
|
|
# projects doesn't check the `:read_project` ability. But instead counts
|
|
|
|
# on the `project_authorizations` table.
|
|
|
|
#
|
|
|
|
# All other actions should explicitly check read project, which would
|
|
|
|
# trigger the `classification_label_authorized` condition.
|
|
|
|
#
|
|
|
|
# `:read_project_for_iids` is not prevented by this condition, as it is
|
|
|
|
# used for cross-project reference checks.
|
|
|
|
prevent :guest_access
|
|
|
|
prevent :public_access
|
|
|
|
prevent :public_user_access
|
|
|
|
prevent :reporter_access
|
|
|
|
prevent :developer_access
|
|
|
|
prevent :maintainer_access
|
|
|
|
prevent :owner_access
|
|
|
|
end
|
|
|
|
|
2019-04-11 11:21:18 -04:00
|
|
|
rule { blocked }.policy do
|
|
|
|
prevent :create_pipeline
|
|
|
|
end
|
|
|
|
|
2020-05-04 08:09:46 -04:00
|
|
|
rule { can?(:read_issue) }.policy do
|
|
|
|
enable :read_design
|
2020-06-19 14:08:39 -04:00
|
|
|
enable :read_design_activity
|
2020-08-19 14:10:34 -04:00
|
|
|
enable :read_issue_link
|
2022-06-08 08:08:46 -04:00
|
|
|
enable :read_work_item
|
2020-05-04 08:09:46 -04:00
|
|
|
end
|
|
|
|
|
2021-02-04 16:09:06 -05:00
|
|
|
rule { can?(:developer_access) }.policy do
|
|
|
|
enable :read_security_configuration
|
|
|
|
end
|
|
|
|
|
2022-05-02 05:10:46 -04:00
|
|
|
rule { can?(:guest_access) & can?(:download_code) }.policy do
|
2022-03-31 17:08:16 -04:00
|
|
|
enable :create_merge_request_in
|
|
|
|
end
|
|
|
|
|
2020-05-04 08:09:46 -04:00
|
|
|
# Design abilities could also be prevented in the issue policy.
|
|
|
|
rule { design_management_disabled }.policy do
|
|
|
|
prevent :read_design
|
2020-06-19 14:08:39 -04:00
|
|
|
prevent :read_design_activity
|
2020-05-04 08:09:46 -04:00
|
|
|
prevent :create_design
|
|
|
|
prevent :destroy_design
|
2020-07-27 20:10:23 -04:00
|
|
|
prevent :move_design
|
|
|
|
end
|
|
|
|
|
2021-07-02 20:06:54 -04:00
|
|
|
rule { download_code_deploy_key }.policy do
|
|
|
|
enable :download_code
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { push_code_deploy_key }.policy do
|
|
|
|
enable :push_code
|
|
|
|
end
|
|
|
|
|
2022-06-27 14:09:39 -04:00
|
|
|
rule { read_container_image_deploy_token }.policy do
|
|
|
|
enable :read_container_image
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { create_container_image_deploy_token }.policy do
|
|
|
|
enable :create_container_image
|
|
|
|
end
|
|
|
|
|
2020-05-13 05:08:37 -04:00
|
|
|
rule { read_package_registry_deploy_token }.policy do
|
|
|
|
enable :read_package
|
|
|
|
enable :read_project
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { write_package_registry_deploy_token }.policy do
|
|
|
|
enable :create_package
|
2020-11-16 16:09:02 -05:00
|
|
|
enable :read_package
|
2020-05-13 05:08:37 -04:00
|
|
|
enable :read_project
|
|
|
|
end
|
|
|
|
|
2020-05-25 11:07:58 -04:00
|
|
|
rule { can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
|
|
|
|
|
|
|
|
rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
|
|
|
|
|
2020-06-05 11:08:23 -04:00
|
|
|
rule { can?(:download_code) }.policy do
|
|
|
|
enable :read_repository_graphs
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { can?(:read_build) & can?(:read_pipeline) }.policy do
|
|
|
|
enable :read_build_report_results
|
|
|
|
end
|
|
|
|
|
2020-06-22 11:09:27 -04:00
|
|
|
rule { support_bot }.enable :guest_access
|
|
|
|
rule { support_bot & ~service_desk_enabled }.policy do
|
|
|
|
prevent :create_note
|
|
|
|
prevent :read_project
|
2021-08-03 17:09:39 -04:00
|
|
|
prevent :guest_access
|
2020-06-22 11:09:27 -04:00
|
|
|
end
|
|
|
|
|
2021-01-29 16:09:34 -05:00
|
|
|
rule { project_bot }.enable :project_bot_access
|
|
|
|
|
2021-12-06 22:12:22 -05:00
|
|
|
rule { can?(:read_all_resources) }.enable :read_resource_access_tokens
|
|
|
|
|
2021-03-26 17:09:22 -04:00
|
|
|
rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
|
|
|
|
enable :read_resource_access_tokens
|
|
|
|
enable :destroy_resource_access_tokens
|
2020-09-30 14:09:52 -04:00
|
|
|
end
|
|
|
|
|
2021-12-06 22:12:22 -05:00
|
|
|
rule { can?(:admin_project) & resource_access_token_feature_available & resource_access_token_creation_allowed }.policy do
|
2021-03-26 17:09:22 -04:00
|
|
|
enable :create_resource_access_tokens
|
|
|
|
end
|
|
|
|
|
2022-03-28 11:07:51 -04:00
|
|
|
rule { can?(:admin_project) }.policy do
|
|
|
|
enable :read_usage_quotas
|
|
|
|
end
|
|
|
|
|
2021-03-26 17:09:22 -04:00
|
|
|
rule { can?(:project_bot_access) }.policy do
|
|
|
|
prevent :create_resource_access_tokens
|
|
|
|
end
|
2021-01-29 16:09:34 -05:00
|
|
|
|
2021-01-14 07:10:54 -05:00
|
|
|
rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
|
|
|
|
enable :set_pipeline_variables
|
|
|
|
end
|
|
|
|
|
2021-02-18 13:10:41 -05:00
|
|
|
rule { ~security_and_compliance_disabled & can?(:developer_access) }.policy do
|
|
|
|
enable :access_security_and_compliance
|
|
|
|
end
|
|
|
|
|
2022-03-08 07:20:17 -05:00
|
|
|
rule { ~admin & ~project_runner_registration_allowed }.policy do
|
|
|
|
prevent :register_project_runners
|
|
|
|
end
|
|
|
|
|
2022-06-01 17:08:14 -04:00
|
|
|
rule { can?(:admin_project_member) }.policy do
|
|
|
|
enable :import_project_members_from_another_project
|
|
|
|
end
|
|
|
|
|
2022-06-17 02:08:15 -04:00
|
|
|
rule { registry_enabled & can?(:admin_container_image) }.policy do
|
|
|
|
enable :view_package_registry_project_settings
|
|
|
|
end
|
|
|
|
|
2022-07-19 14:09:21 -04:00
|
|
|
rule { packages_enabled & can?(:admin_package) }.policy do
|
|
|
|
enable :view_package_registry_project_settings
|
|
|
|
end
|
|
|
|
|
2017-02-05 13:54:19 -05:00
|
|
|
private
|
|
|
|
|
2020-08-18 14:10:10 -04:00
|
|
|
def user_is_user?
|
|
|
|
user.is_a?(User)
|
|
|
|
end
|
|
|
|
|
2017-08-24 13:06:04 -04:00
|
|
|
def team_member?
|
2017-04-06 17:06:42 -04:00
|
|
|
return false if @user.nil?
|
2020-08-18 14:10:10 -04:00
|
|
|
return false unless user_is_user?
|
2017-04-06 17:06:42 -04:00
|
|
|
|
|
|
|
greedy_load_subject = false
|
|
|
|
|
|
|
|
# when scoping by subject, we want to be greedy
|
|
|
|
# and load *all* the members with one query.
|
|
|
|
greedy_load_subject ||= DeclarativePolicy.preferred_scope == :subject
|
|
|
|
|
|
|
|
# in this case we're likely to have loaded #members already
|
|
|
|
# anyways, and #member? would fail with an error
|
|
|
|
greedy_load_subject ||= !@user.persisted?
|
|
|
|
|
|
|
|
if greedy_load_subject
|
2018-10-02 10:29:45 -04:00
|
|
|
# We want to load all the members with one query. Calling #include? on
|
|
|
|
# project.team.members will perform a separate query for each user, unless
|
|
|
|
# project.team.members was loaded before somewhere else. Calling #to_a
|
|
|
|
# ensures it's always loaded before checking for membership.
|
|
|
|
project.team.members.to_a.include?(user)
|
2017-04-06 17:06:42 -04:00
|
|
|
else
|
|
|
|
# otherwise we just make a specific query for
|
|
|
|
# this particular user.
|
|
|
|
team_access_level >= Gitlab::Access::GUEST
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-08-27 11:31:01 -04:00
|
|
|
# rubocop: disable CodeReuse/ActiveRecord
|
2017-04-06 17:06:42 -04:00
|
|
|
def project_group_member?
|
|
|
|
return false if @user.nil?
|
2020-08-18 14:10:10 -04:00
|
|
|
return false unless user_is_user?
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2017-04-26 10:27:41 -04:00
|
|
|
project.group &&
|
|
|
|
(
|
2017-04-06 17:06:42 -04:00
|
|
|
project.group.members_with_parents.exists?(user_id: @user.id) ||
|
|
|
|
project.group.requesters.exists?(user_id: @user.id)
|
2017-04-26 10:27:41 -04:00
|
|
|
)
|
|
|
|
end
|
2018-08-27 11:31:01 -04:00
|
|
|
# rubocop: enable CodeReuse/ActiveRecord
|
2017-04-26 10:27:41 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
def team_access_level
|
|
|
|
return -1 if @user.nil?
|
2020-08-18 14:10:10 -04:00
|
|
|
return -1 unless user_is_user?
|
2017-02-05 13:54:19 -05:00
|
|
|
|
2019-05-08 09:08:56 -04:00
|
|
|
lookup_access_level!
|
|
|
|
end
|
|
|
|
|
|
|
|
def lookup_access_level!
|
2020-02-06 07:10:29 -05:00
|
|
|
return ::Gitlab::Access::REPORTER if alert_bot?
|
2020-06-22 11:09:27 -04:00
|
|
|
return ::Gitlab::Access::REPORTER if support_bot? && service_desk_enabled?
|
2020-02-06 07:10:29 -05:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
# NOTE: max_member_access has its own cache
|
|
|
|
project.team.max_member_access(@user.id)
|
|
|
|
end
|
|
|
|
|
2021-02-05 13:09:44 -05:00
|
|
|
def access_allowed_to?(feature)
|
2019-08-25 10:20:17 -04:00
|
|
|
return false unless project.project_feature
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
case project.project_feature.access_level(feature)
|
|
|
|
when ProjectFeature::DISABLED
|
|
|
|
false
|
|
|
|
when ProjectFeature::PRIVATE
|
2020-07-09 05:09:27 -04:00
|
|
|
can?(:read_all_resources) || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
|
2017-04-06 17:06:42 -04:00
|
|
|
else
|
|
|
|
true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-03-26 17:09:22 -04:00
|
|
|
def resource_access_token_feature_available?
|
2020-09-30 14:09:52 -04:00
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2021-03-26 17:09:22 -04:00
|
|
|
def resource_access_token_creation_allowed?
|
|
|
|
group = project.group
|
|
|
|
|
|
|
|
return true unless group # always enable for projects in personal namespaces
|
|
|
|
|
2021-04-05 23:09:02 -04:00
|
|
|
resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
|
2021-03-26 17:09:22 -04:00
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
def project
|
|
|
|
@subject
|
2017-02-05 13:54:19 -05:00
|
|
|
end
|
2016-08-11 18:12:52 -04:00
|
|
|
end
|
2019-09-13 09:26:31 -04:00
|
|
|
|
2021-05-11 17:10:21 -04:00
|
|
|
ProjectPolicy.prepend_mod_with('ProjectPolicy')
|