gitlab-org--gitlab-foss/app/policies/global_policy.rb

# frozen_string_literal: true

class GlobalPolicy < BasePolicy
  desc "User is an internal user"
  with_options scope: :user, score: 0
  condition(:internal) { @user&.internal? }

  desc "User's access has been locked"
  with_options scope: :user, score: 0
  condition(:access_locked) { @user&.access_locked? }

  condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }

  condition(:required_terms_not_accepted, scope: :user, score: 0) do
    @user&.required_terms_not_accepted?
  end

  condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? }

  condition(:project_bot, scope: :user) { @user&.project_bot? }
  condition(:migration_bot, scope: :user) { @user&.migration_bot? }

  rule { admin | (~private_instance_statistics & ~anonymous) }
    .enable :read_instance_statistics

  rule { anonymous }.policy do
    prevent :log_in
    prevent :receive_notifications
    prevent :use_quick_actions
    prevent :create_group
  end

  rule { default }.policy do
    enable :log_in
    enable :access_api
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
    enable :use_slash_commands
  end

  rule { inactive }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :use_slash_commands
  end

  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { blocked | (internal & ~migration_bot) }.policy do
    prevent :access_git
  end

  rule { project_bot }.policy do
    prevent :log_in
    prevent :receive_notifications
  end

  rule { deactivated }.policy do
    prevent :access_git
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { required_terms_not_accepted }.policy do
    prevent :access_api
    prevent :access_git
  end

  rule { can_create_group }.policy do
    enable :create_group
  end

  rule { can?(:create_group) }.policy do
    enable :create_group_with_default_branch_protection
  end

  rule { can_create_fork }.policy do
    enable :create_fork
  end

  rule { access_locked }.policy do
    prevent :log_in
    prevent :use_slash_commands
  end

  rule { ~(anonymous & restricted_public_level) }.policy do
    enable :read_users_list
  end

  rule { ~anonymous }.policy do
    enable :read_instance_metadata
    enable :create_snippet
  end

  rule { admin }.policy do
    enable :read_custom_attribute
    enable :update_custom_attribute
  end

  rule { external_user }.prevent :create_snippet
end

GlobalPolicy.prepend_if_ee('EE::GlobalPolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 10:00:56 +00:00			`# frozen_string_literal: true`

factor in global permissions 2016-08-16 23:29:19 +00:00			`class GlobalPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`desc "User is an internal user"`
			`with_options scope: :user, score: 0`
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 10:55:31 +00:00			`condition(:internal) { @user&.internal? }`
line break after guard clause 2016-08-30 18:14:07 +00:00
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`desc "User's access has been locked"`
			`with_options scope: :user, score: 0`
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 10:55:31 +00:00			`condition(:access_locked) { @user&.access_locked? }`
add User#internal? and some global permissions 2017-02-28 21:09:23 +00:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 10:55:31 +00:00			`condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { \|namespace\| @user.can?(:create_projects, namespace) } }`
moved fork checks into policies 2017-09-29 11:14:39 +00:00
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 13:07:55 +00:00			`condition(:required_terms_not_accepted, scope: :user, score: 0) do`
			`@user&.required_terms_not_accepted?`
			`end`

Add read_instance_statistics global policy 2018-07-23 13:30:11 +00:00			`condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? }`
Spec instance statistics 2018-07-25 15:36:08 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-04-21 15:21:10 +00:00			`condition(:project_bot, scope: :user) { @user&.project_bot? }`
Add latest changes from gitlab-org/gitlab@master 2020-05-04 21:09:41 +00:00			`condition(:migration_bot, scope: :user) { @user&.migration_bot? }`
Add latest changes from gitlab-org/gitlab@master 2020-04-21 15:21:10 +00:00
Spec instance statistics 2018-07-25 15:36:08 +00:00			`rule { admin \| (~private_instance_statistics & ~anonymous) }`
			`.enable :read_instance_statistics`
Add read_instance_statistics global policy 2018-07-23 13:30:11 +00:00
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00			`rule { anonymous }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`prevent :use_quick_actions`
			`prevent :create_group`
			`end`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00
			`rule { default }.policy do`
			`enable :log_in`
			`enable :access_api`
			`enable :access_git`
			`enable :receive_notifications`
			`enable :use_quick_actions`
Restrict slash commands to users who can log in 2019-07-04 10:31:44 +00:00			`enable :use_slash_commands`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 21:08:47 +00:00			`rule { inactive }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :use_slash_commands`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`rule { blocked \| internal }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :receive_notifications`
Restrict slash commands to users who can log in 2019-07-04 10:31:44 +00:00			`prevent :use_slash_commands`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-05-04 21:09:41 +00:00			`rule { blocked \| (internal & ~migration_bot) }.policy do`
			`prevent :access_git`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-21 15:21:10 +00:00			`rule { project_bot }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`end`

Add latest changes from gitlab-org/gitlab@master 2019-10-10 00:06:44 +00:00			`rule { deactivated }.policy do`
			`prevent :access_git`
			`prevent :access_api`
			`prevent :receive_notifications`
Add latest changes from gitlab-org/gitlab@master 2019-10-11 00:06:24 +00:00			`prevent :use_slash_commands`
Add latest changes from gitlab-org/gitlab@master 2019-10-10 00:06:44 +00:00			`end`

Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 13:07:55 +00:00			`rule { required_terms_not_accepted }.policy do`
			`prevent :access_api`
			`prevent :access_git`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`rule { can_create_group }.policy do`
			`enable :create_group`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-24 09:09:44 +00:00			`rule { can?(:create_group) }.policy do`
			`enable :create_group_with_default_branch_protection`
			`end`

moved fork checks into policies 2017-09-29 11:14:39 +00:00			`rule { can_create_fork }.policy do`
			`enable :create_fork`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`rule { access_locked }.policy do`
			`prevent :log_in`
Restrict slash commands to users who can log in 2019-07-04 10:31:44 +00:00			`prevent :use_slash_commands`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00
Allow logged in users to read user list under public restriction 2017-08-01 07:46:13 +00:00			`rule { ~(anonymous & restricted_public_level) }.policy do`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00			`enable :read_users_list`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`
Support custom attributes on users 2017-09-28 16:49:42 +00:00
Add metadata about the GitLab server to GraphQL 2019-01-24 16:23:57 +00:00			`rule { ~anonymous }.policy do`
			`enable :read_instance_metadata`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 12:08:38 +00:00			`enable :create_snippet`
Add metadata about the GitLab server to GraphQL 2019-01-24 16:23:57 +00:00			`end`

Support custom attributes on users 2017-09-28 16:49:42 +00:00			`rule { admin }.policy do`
			`enable :read_custom_attribute`
			`enable :update_custom_attribute`
			`end`
Add latest changes from gitlab-org/gitlab@master 2019-11-29 21:06:13 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-23 12:08:38 +00:00			`rule { external_user }.prevent :create_snippet`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 13:26:31 +00:00
			`GlobalPolicy.prepend_if_ee('EE::GlobalPolicy')`