gitlab-org--gitlab-foss/app/policies/global_policy.rb

# frozen_string_literal: true

class GlobalPolicy < BasePolicy
  desc "User is an internal user"
  with_options scope: :user, score: 0
  condition(:internal) { @user&.internal? }

  desc "User's access has been locked"
  with_options scope: :user, score: 0
  condition(:access_locked) { @user&.access_locked? }

  condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }

  condition(:required_terms_not_accepted, scope: :user, score: 0) do
    @user&.required_terms_not_accepted?
  end

  condition(:password_expired, scope: :user) do
    @user&.password_expired_if_applicable?
  end

  condition(:project_bot, scope: :user) { @user&.project_bot? }
  condition(:migration_bot, scope: :user) { @user&.migration_bot? }

  rule { anonymous }.policy do
    prevent :log_in
    prevent :receive_notifications
    prevent :use_quick_actions
    prevent :create_group
    prevent :execute_graphql_mutation
  end

  rule { default }.policy do
    enable :log_in
    enable :access_api
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
    enable :use_slash_commands
    enable :execute_graphql_mutation
  end

  rule { inactive }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :use_slash_commands
  end

  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { ~can?(:access_api) }.prevent :execute_graphql_mutation

  rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do
    prevent :access_git
  end

  rule { project_bot }.policy do
    prevent :log_in
    prevent :receive_notifications
  end

  rule { deactivated }.policy do
    prevent :access_git
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { required_terms_not_accepted }.policy do
    prevent :access_api
    prevent :access_git
  end

  rule { password_expired }.policy do
    prevent :access_api
    prevent :access_git
    prevent :use_slash_commands
  end

  rule { can_create_group }.policy do
    enable :create_group
  end

  rule { can?(:create_group) }.policy do
    enable :create_group_with_default_branch_protection
  end

  rule { can_create_fork }.policy do
    enable :create_fork
  end

  rule { access_locked }.policy do
    prevent :log_in
    prevent :use_slash_commands
  end

  rule { ~(anonymous & restricted_public_level) }.policy do
    enable :read_users_list
  end

  rule { ~anonymous }.policy do
    enable :read_instance_metadata
    enable :create_snippet
  end

  rule { admin }.policy do
    enable :read_custom_attribute
    enable :update_custom_attribute
    enable :approve_user
    enable :reject_user
    enable :read_usage_trends_measurement
    enable :update_runners_registration_token
  end

  # We can't use `read_statistics` because the user may have different permissions for different projects
  rule { admin }.enable :use_project_statistics_filters

  rule { external_user }.prevent :create_snippet
end

GlobalPolicy.prepend_mod_with('GlobalPolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

factor in global permissions 2016-08-16 19:29:19 -04:00			`class GlobalPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "User is an internal user"`
			`with_options scope: :user, score: 0`
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`condition(:internal) { @user&.internal? }`
line break after guard clause 2016-08-30 14:14:07 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "User's access has been locked"`
			`with_options scope: :user, score: 0`
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`condition(:access_locked) { @user&.access_locked? }`
add User#internal? and some global permissions 2017-02-28 16:09:23 -05:00
Allows `access_(git\|api)` to anonymous users The `access_git` and `access_api` were currently never checked for anonymous users. And they would also be allowed access: An anonymous user can clone and pull from a public repo An anonymous user can request public information from the API So the policy didn't actually reflect what we were enforcing. 2018-05-09 06:55:31 -04:00			`condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { \|namespace\| @user.can?(:create_projects, namespace) } }`
moved fork checks into policies 2017-09-29 07:14:39 -04:00
Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`condition(:required_terms_not_accepted, scope: :user, score: 0) do`
			`@user&.required_terms_not_accepted?`
			`end`

Add latest changes from gitlab-org/gitlab@master 2021-06-01 17:10:06 -04:00			`condition(:password_expired, scope: :user) do`
Add latest changes from gitlab-org/gitlab@master 2021-06-16 14:10:35 -04:00			`@user&.password_expired_if_applicable?`
Add latest changes from gitlab-org/gitlab@master 2021-06-01 17:10:06 -04:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-21 11:21:10 -04:00			`condition(:project_bot, scope: :user) { @user&.project_bot? }`
Add latest changes from gitlab-org/gitlab@master 2020-05-04 17:09:41 -04:00			`condition(:migration_bot, scope: :user) { @user&.migration_bot? }`
Add latest changes from gitlab-org/gitlab@master 2020-04-21 11:21:10 -04:00
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 09:29:34 -04:00			`rule { anonymous }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`prevent :use_quick_actions`
			`prevent :create_group`
Add latest changes from gitlab-org/gitlab@master 2021-04-28 11:09:35 -04:00			`prevent :execute_graphql_mutation`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 09:29:34 -04:00			`end`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
			`rule { default }.policy do`
			`enable :log_in`
			`enable :access_api`
			`enable :access_git`
			`enable :receive_notifications`
			`enable :use_quick_actions`
Restrict slash commands to users who can log in 2019-07-04 06:31:44 -04:00			`enable :use_slash_commands`
Add latest changes from gitlab-org/gitlab@master 2021-04-28 11:09:35 -04:00			`enable :execute_graphql_mutation`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 16:08:47 -05:00			`rule { inactive }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :use_slash_commands`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { blocked \| internal }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :receive_notifications`
Restrict slash commands to users who can log in 2019-07-04 06:31:44 -04:00			`prevent :use_slash_commands`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`

Add latest changes from gitlab-org/gitlab@master 2021-04-28 11:09:35 -04:00			`rule { ~can?(:access_api) }.prevent :execute_graphql_mutation`

Add latest changes from gitlab-org/gitlab@master 2020-12-11 13:09:57 -05:00			`rule { blocked \| (internal & ~migration_bot & ~security_bot) }.policy do`
Add latest changes from gitlab-org/gitlab@master 2020-05-04 17:09:41 -04:00			`prevent :access_git`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-21 11:21:10 -04:00			`rule { project_bot }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`end`

Add latest changes from gitlab-org/gitlab@master 2019-10-09 20:06:44 -04:00			`rule { deactivated }.policy do`
			`prevent :access_git`
			`prevent :access_api`
			`prevent :receive_notifications`
Add latest changes from gitlab-org/gitlab@master 2019-10-10 20:06:24 -04:00			`prevent :use_slash_commands`
Add latest changes from gitlab-org/gitlab@master 2019-10-09 20:06:44 -04:00			`end`

Block access to API & git when terms are enforced When terms are enforced, but the user has not accepted the terms access to the API & git is rejected with a message directing the user to the web app to accept the terms. 2018-05-08 09:07:55 -04:00			`rule { required_terms_not_accepted }.policy do`
			`prevent :access_api`
			`prevent :access_git`
			`end`

Add latest changes from gitlab-org/gitlab@master 2021-06-01 17:10:06 -04:00			`rule { password_expired }.policy do`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :use_slash_commands`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { can_create_group }.policy do`
			`enable :create_group`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-24 05:09:44 -04:00			`rule { can?(:create_group) }.policy do`
			`enable :create_group_with_default_branch_protection`
			`end`

moved fork checks into policies 2017-09-29 07:14:39 -04:00			`rule { can_create_fork }.policy do`
			`enable :create_fork`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { access_locked }.policy do`
			`prevent :log_in`
Restrict slash commands to users who can log in 2019-07-04 06:31:44 -04:00			`prevent :use_slash_commands`
factor in global permissions 2016-08-16 19:29:19 -04:00			`end`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 09:29:34 -04:00
Allow logged in users to read user list under public restriction 2017-08-01 03:46:13 -04:00			`rule { ~(anonymous & restricted_public_level) }.policy do`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 09:29:34 -04:00			`enable :read_users_list`
factor in global permissions 2016-08-16 19:29:19 -04:00			`end`
Support custom attributes on users 2017-09-28 12:49:42 -04:00
Add metadata about the GitLab server to GraphQL 2019-01-24 11:23:57 -05:00			`rule { ~anonymous }.policy do`
			`enable :read_instance_metadata`
Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`enable :create_snippet`
Add metadata about the GitLab server to GraphQL 2019-01-24 11:23:57 -05:00			`end`

Support custom attributes on users 2017-09-28 12:49:42 -04:00			`rule { admin }.policy do`
			`enable :read_custom_attribute`
			`enable :update_custom_attribute`
Add latest changes from gitlab-org/gitlab@master 2020-10-15 08:09:06 -04:00			`enable :approve_user`
Add latest changes from gitlab-org/gitlab@master 2020-12-02 19:09:53 -05:00			`enable :reject_user`
Add latest changes from gitlab-org/gitlab@master 2021-02-18 10:09:43 -05:00			`enable :read_usage_trends_measurement`
Add latest changes from gitlab-org/gitlab@master 2021-06-14 11:09:48 -04:00			`enable :update_runners_registration_token`
Support custom attributes on users 2017-09-28 12:49:42 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-11-29 16:06:13 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-06-19 17:08:32 -04:00			# We can't use `read_statistics` because the user may have different permissions for different projects
			`rule { admin }.enable :use_project_statistics_filters`

Add latest changes from gitlab-org/gitlab@master 2020-01-23 07:08:38 -05:00			`rule { external_user }.prevent :create_snippet`
factor in global permissions 2016-08-16 19:29:19 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 09:26:31 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-05-11 17:10:21 -04:00			`GlobalPolicy.prepend_mod_with('GlobalPolicy')`