gitlab-org--gitlab-foss/app/policies/group_policy.rb

# frozen_string_literal: true

class GroupPolicy < BasePolicy
  include FindGroupProjects

  desc "Group is public"
  with_options scope: :subject, score: 0
  condition(:public_group) { @subject.public? }

  with_score 0
  condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }

  condition(:has_access) { access_level != GroupMember::NO_ACCESS }

  condition(:guest) { access_level >= GroupMember::GUEST }
  condition(:developer) { access_level >= GroupMember::DEVELOPER }
  condition(:owner) { access_level >= GroupMember::OWNER }
  condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
  condition(:reporter) { access_level >= GroupMember::REPORTER }

  condition(:has_parent, scope: :subject) { @subject.has_parent? }
  condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
  condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }

  condition(:has_projects) do
    group_projects_for(user: @user, group: @subject).any?
  end

  with_options scope: :subject, score: 0
  condition(:request_access_enabled) { @subject.request_access_enabled }

  condition(:create_projects_disabled) do
    @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
  end

  condition(:developer_maintainer_access) do
    @subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
  end

  condition(:maintainer_can_create_group) do
    @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
  end

  rule { public_group }.policy do
    enable :read_group
    enable :read_package
  end

  rule { logged_in_viewable }.enable :read_group

  rule { guest }.policy do
    enable :read_group
    enable :upload_file
  end

  rule { admin }.policy do
    enable :read_group
    enable :update_max_artifacts_size
  end

  rule { has_projects }.policy do
    enable :read_group
  end

  rule { can?(:read_group) }.policy do
    enable :read_milestone
    enable :read_list
    enable :read_label
    enable :read_board
  end

  rule { has_access }.enable :read_namespace

  rule { developer }.policy do
    enable :admin_milestone
    enable :read_package
  end

  rule { reporter }.policy do
    enable :read_container_image
    enable :admin_label
    enable :admin_list
    enable :admin_issue
  end

  rule { maintainer }.policy do
    enable :create_projects
    enable :admin_pipeline
    enable :admin_build
    enable :read_cluster
    enable :add_cluster
    enable :create_cluster
    enable :update_cluster
    enable :admin_cluster
    enable :destroy_deploy_token
    enable :read_deploy_token
    enable :create_deploy_token
  end

  rule { owner }.policy do
    enable :admin_group
    enable :admin_namespace
    enable :admin_group_member
    enable :change_visibility_level

    enable :set_note_created_at
    enable :set_emails_disabled
  end

  rule { can?(:read_nested_project_resources) }.policy do
    enable :read_group_activity
    enable :read_group_issues
    enable :read_group_boards
    enable :read_group_labels
    enable :read_group_milestones
    enable :read_group_merge_requests
  end

  rule { can?(:read_cross_project) & can?(:read_group) }.policy do
    enable :read_nested_project_resources
  end

  rule { owner }.enable :create_subgroup
  rule { maintainer & maintainer_can_create_group }.enable :create_subgroup

  rule { public_group | logged_in_viewable }.enable :view_globally

  rule { default }.enable(:request_access)

  rule { ~request_access_enabled }.prevent :request_access
  rule { ~can?(:view_globally) }.prevent   :request_access
  rule { has_access }.prevent              :request_access

  rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock

  rule { developer & developer_maintainer_access }.enable :create_projects
  rule { create_projects_disabled }.prevent :create_projects

  rule { owner | admin }.enable :read_statistics

  rule { maintainer & can?(:create_projects) }.enable :transfer_projects

  def access_level
    return GroupMember::NO_ACCESS if @user.nil?

    @access_level ||= lookup_access_level!
  end

  def lookup_access_level!
    @subject.max_member_access_for_user(@user)
  end
end

GroupPolicy.prepend_if_ee('EE::GroupPolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

port groups 2016-08-16 19:28:47 -04:00			`class GroupPolicy < BasePolicy`
Let project reporters create issue from group boards The current state of group issue boards does not show the "Add issues" button on the UI for users that are reporters of group child projects. 2019-09-04 12:33:02 -04:00			`include FindGroupProjects`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "Group is public"`
			`with_options scope: :subject, score: 0`
			`condition(:public_group) { @subject.public? }`

			`with_score 0`
			`condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }`

			`condition(:has_access) { access_level != GroupMember::NO_ACCESS }`
port groups 2016-08-16 19:28:47 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:guest) { access_level >= GroupMember::GUEST }`
Allow DEVELOPER role to admin milestones 2017-09-13 16:32:58 -04:00			`condition(:developer) { access_level >= GroupMember::DEVELOPER }`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:owner) { access_level >= GroupMember::OWNER }`
Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 10:36:08 -04:00			`condition(:maintainer) { access_level >= GroupMember::MAINTAINER }`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:reporter) { access_level >= GroupMember::REPORTER }`
port groups 2016-08-16 19:28:47 -04:00
Optimize policy rule 2017-09-07 12:42:15 -04:00			`condition(:has_parent, scope: :subject) { @subject.has_parent? }`
Refer to “Share with group lock” consistently 2017-09-06 14:31:45 -04:00			`condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }`
			`condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }`
Optimize policy rule 2017-09-07 12:42:15 -04:00			`condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }`
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser. 2017-09-01 21:00:46 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:has_projects) do`
Let project reporters create issue from group boards The current state of group issue boards does not show the "Add issues" button on the UI for users that are reporters of group child projects. 2019-09-04 12:33:02 -04:00			`group_projects_for(user: @user, group: @subject).any?`
port groups 2016-08-16 19:28:47 -04:00			`end`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
			`with_options scope: :subject, score: 0`
			`condition(:request_access_enabled) { @subject.request_access_enabled }`

Add part of needed code Add columns to store project creation settings Add project creation level column in groups and default project creation column in application settings Remove obsolete line from schema Update migration with project_creation_level column existence check Rename migrations to avoid conflicts Update migration methods Update migration method 2019-04-05 14:49:46 -04:00			`condition(:create_projects_disabled) do`
			`@subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS`
			`end`

			`condition(:developer_maintainer_access) do`
			`@subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS`
			`end`

Add policy to allow maintainers to create subgroups when enabled 2019-06-27 18:53:46 -04:00			`condition(:maintainer_can_create_group) do`
			`@subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS`
			`end`

EE-BACKPORT group boards 2017-12-06 14:07:47 -05:00			`rule { public_group }.policy do`
			`enable :read_group`
Add latest changes from gitlab-org/gitlab@master 2019-11-07 10:06:33 -05:00			`enable :read_package`
EE-BACKPORT group boards 2017-12-06 14:07:47 -05:00			`end`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { logged_in_viewable }.enable :read_group`
Support uploads for groups 2017-12-06 06:36:11 -05:00
			`rule { guest }.policy do`
			`enable :read_group`
			`enable :upload_file`
			`end`

Add latest changes from gitlab-org/gitlab@master 2019-10-14 11:06:07 -04:00			`rule { admin }.policy do`
			`enable :read_group`
			`enable :update_max_artifacts_size`
			`end`
Fix users not seeing labels from private groups when being a member of a child project 2018-04-23 12:12:26 -04:00
			`rule { has_projects }.policy do`
Add latest changes from gitlab-org/gitlab@master 2019-10-01 17:06:09 -04:00			`enable :read_group`
			`end`

			`rule { can?(:read_group) }.policy do`
			`enable :read_milestone`
Enable `:read_list` when `:read_group` is enabled 2019-02-25 08:36:28 -05:00			`enable :read_list`
Fix users not seeing labels from private groups when being a member of a child project 2018-04-23 12:12:26 -04:00			`enable :read_label`
Add latest changes from gitlab-org/gitlab@master 2020-02-10 22:09:13 -05:00			`enable :read_board`
Fix users not seeing labels from private groups when being a member of a child project 2018-04-23 12:12:26 -04:00			`end`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
Introduce :read_namespace access policy for namespace and group 2017-11-23 09:47:15 -05:00			`rule { has_access }.enable :read_namespace`

Add latest changes from gitlab-org/gitlab@master 2019-11-07 10:06:33 -05:00			`rule { developer }.policy do`
			`enable :admin_milestone`
			`enable :read_package`
			`end`
Bring one group board to CE 2018-02-19 14:06:16 -05:00
			`rule { reporter }.policy do`
Add group level container repository endpoints API endpoints for requesting container repositories and container repositories with their tag information are enabled for users that want to specify the group containing the repository rather than the specific project. 2019-08-05 16:00:50 -04:00			`enable :read_container_image`
Bring one group board to CE 2018-02-19 14:06:16 -05:00			`enable :admin_label`
			`enable :admin_list`
			`enable :admin_issue`
			`end`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 10:36:08 -04:00			`rule { maintainer }.policy do`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`enable :create_projects`
Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Implement CURD Rename codes related to VariableGroup and VariableProject FE part Remove unneccesary changes Make Fe code up-to-date Add protected flag to migration file Protected group variables essential package Update schema Improve doc Fix logic and spec for models Fix logic and spec for controllers Fix logic and spec for views(pre feature) Add feature spec Fixed bugs. placeholder. reveal button. doc. Add changelog Remove unnecessary comment godfat nice catches Improve secret_variables_for arctecture Fix spec Fix StaticAnlysys & path_regex spec Revert "Improve secret_variables_for arctecture" This reverts commit c3216ca212322ecf6ca534cb12ce75811a4e77f1. Use ayufan suggestion for secret_variables_for Use find instead of find_by Fix spec message for variable is invalid Fix spec remove variable.group_id = group.id godffat spec nitpicks Use include Gitlab::Routing.url_helpers for presenter spec 2017-05-03 14:51:55 -04:00			`enable :admin_pipeline`
			`enable :admin_build`
Add policy for clusters on group level - maintainer for group can read, create, update, and admin cluster - project user, at any level, cannot do anything with group cluster 2018-10-14 20:42:02 -04:00			`enable :read_cluster`
Allow users to add cluster with ancestors Include a new policy in Clusterables (projects and groups), which checks if another cluster can be added clusterable_has_cluster? and multiple_clusters_available private methods will be overriden in EE Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758 2018-12-04 16:38:15 -05:00			`enable :add_cluster`
Add policy for clusters on group level - maintainer for group can read, create, update, and admin cluster - project user, at any level, cannot do anything with group cluster 2018-10-14 20:42:02 -04:00			`enable :create_cluster`
			`enable :update_cluster`
			`enable :admin_cluster`
Add latest changes from gitlab-org/gitlab@master 2020-03-08 20:08:14 -04:00			`enable :destroy_deploy_token`
Add latest changes from gitlab-org/gitlab@master 2020-03-11 02:10:11 -04:00			`enable :read_deploy_token`
Add latest changes from gitlab-org/gitlab@master 2020-03-11 17:09:19 -04:00			`enable :create_deploy_token`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`

			`rule { owner }.policy do`
			`enable :admin_group`
			`enable :admin_namespace`
			`enable :admin_group_member`
			`enable :change_visibility_level`
Use policies to determine if attributes can be set in the API This is more idiomatic than checking membership explicitly. 2018-08-22 08:10:54 -04:00
			`enable :set_note_created_at`
Allow disabling group/project email notifications - Adds UI to configure in group and project settings - Removes notification configuration for users when disabled at group or project level 2019-08-15 13:37:36 -04:00			`enable :set_emails_disabled`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`

Create cross project group features This allows us to check specific abilities in views, while still enabling/disabling them at once. 2018-07-03 08:08:46 -04:00			`rule { can?(:read_nested_project_resources) }.policy do`
			`enable :read_group_activity`
			`enable :read_group_issues`
			`enable :read_group_boards`
			`enable :read_group_labels`
			`enable :read_group_milestones`
			`enable :read_group_merge_requests`
			`end`

			`rule { can?(:read_cross_project) & can?(:read_group) }.policy do`
			`enable :read_nested_project_resources`
			`end`

Remove code related to object hierarchy in MySQL These are not required because MySQL is not supported anymore 2019-07-24 05:20:54 -04:00			`rule { owner }.enable :create_subgroup`
			`rule { maintainer & maintainer_can_create_group }.enable :create_subgroup`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
			`rule { public_group \| logged_in_viewable }.enable :view_globally`

			`rule { default }.enable(:request_access)`

			`rule { ~request_access_enabled }.prevent :request_access`
			`rule { ~can?(:view_globally) }.prevent :request_access`
			`rule { has_access }.prevent :request_access`

Optimize policy rule 2017-09-07 12:42:15 -04:00			`rule { owner & (~share_with_group_locked \| ~has_parent \| ~parent_share_with_group_locked \| can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock`
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser. 2017-09-01 21:00:46 -04:00
Add part of needed code Add columns to store project creation settings Add project creation level column in groups and default project creation column in application settings Remove obsolete line from schema Update migration with project_creation_level column existence check Rename migrations to avoid conflicts Update migration methods Update migration method 2019-04-05 14:49:46 -04:00			`rule { developer & developer_maintainer_access }.enable :create_projects`
			`rule { create_projects_disabled }.prevent :create_projects`

Expose namespace storage statistics with GraphQL Root namespaces have storage statistics. This commit allows namespace owners to get those stats via GraphQL queries like the following one { namespace(fullPath: "a_namespace_path") { rootStorageStatistics { storageSize repositorySize lfsObjectsSize buildArtifactsSize packagesSize wikiSize } } } 2019-08-22 18:08:28 -04:00			`rule { owner \| admin }.enable :read_statistics`

Require maintainer permission to transfer projects 2019-09-23 03:42:26 -04:00			`rule { maintainer & can?(:create_projects) }.enable :transfer_projects`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`def access_level`
			`return GroupMember::NO_ACCESS if @user.nil?`

CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level! 2019-05-06 12:18:03 -04:00			`@access_level \|\|= lookup_access_level!`
			`end`

			`def lookup_access_level!`
			`@subject.max_member_access_for_user(@user)`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`
port groups 2016-08-16 19:28:47 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 09:26:31 -04:00
			`GroupPolicy.prepend_if_ee('EE::GroupPolicy')`