kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/app/policies/group_policy.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

335 lines
10 KiB
Ruby
Raw Normal View History

Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424.
2018-07-24 06:00:56 -04:00
# frozen_string_literal: true
Add latest changes from gitlab-org/gitlab@master
2021-12-09 07:15:43 -05:00
class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
Let project reporters create issue from group boards The current state of group issue boards does not show the "Add issues" button on the UI for users that are reporters of group child projects.
2019-09-04 12:33:02 -04:00
include FindGroupProjects
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
desc "Group is public"
with_options scope: :subject, score: 0
condition(:public_group) { @subject.public? }
with_score 0
condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }
condition(:has_access) { access_level != GroupMember::NO_ACCESS }
port groups
2016-08-16 19:28:47 -04:00
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
condition(:guest) { access_level >= GroupMember::GUEST }
Allow DEVELOPER role to admin milestones
2017-09-13 16:32:58 -04:00
condition(:developer) { access_level >= GroupMember::DEVELOPER }
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
condition(:owner) { access_level >= GroupMember::OWNER }
Resolve "Rename the `Master` role to `Maintainer`" Backend
2018-07-11 10:36:08 -04:00
condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
condition(:reporter) { access_level >= GroupMember::REPORTER }
port groups
2016-08-16 19:28:47 -04:00
Optimize policy rule
2017-09-07 12:42:15 -04:00
condition(:has_parent, scope: :subject) { @subject.has_parent? }
Refer to “Share with group lock” consistently
2017-09-06 14:31:45 -04:00
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
Optimize policy rule
2017-09-07 12:42:15 -04:00
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
Add latest changes from gitlab-org/gitlab@master
2022-05-11 05:08:10 -04:00
condition(:migration_bot, scope: :user) { @user.migration_bot? }
Add latest changes from gitlab-org/gitlab@master
2022-06-01 17:08:14 -04:00
condition(:can_read_group_member) { can_read_group_member? }
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser.
2017-09-01 21:00:46 -04:00
Add latest changes from gitlab-org/gitlab@master
2022-01-07 19:14:32 -05:00
desc "User is a project bot"
condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
condition(:has_projects) do
Let project reporters create issue from group boards The current state of group issue boards does not show the "Add issues" button on the UI for users that are reporters of group child projects.
2019-09-04 12:33:02 -04:00
group_projects_for(user: @user, group: @subject).any?
port groups
2016-08-16 19:28:47 -04:00
end
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
with_options scope: :subject, score: 0
condition(:request_access_enabled) { @subject.request_access_enabled }
Add part of needed code Add columns to store project creation settings Add project creation level column in groups and default project creation column in application settings Remove obsolete line from schema Update migration with project_creation_level column existence check Rename migrations to avoid conflicts Update migration methods Update migration method
2019-04-05 14:49:46 -04:00
condition(:create_projects_disabled) do
@subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
end
condition(:developer_maintainer_access) do
@subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
end
Add policy to allow maintainers to create subgroups when enabled
2019-06-27 18:53:46 -04:00
condition(:maintainer_can_create_group) do
@subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
end
Add latest changes from gitlab-org/gitlab@master
2020-06-19 14:08:39 -04:00
condition(:design_management_enabled) do
group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
end
Add latest changes from gitlab-org/gitlab@master
2020-11-13 16:09:31 -05:00
condition(:dependency_proxy_available) do
@subject.dependency_proxy_feature_available?
end
Add latest changes from gitlab-org/gitlab@master
2021-08-04 05:08:21 -04:00
condition(:dependency_proxy_access_allowed) do
Add latest changes from gitlab-org/gitlab@master
2022-05-06 17:08:35 -04:00
access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
Add latest changes from gitlab-org/gitlab@master
2021-08-04 05:08:21 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2020-09-25 14:09:46 -04:00
desc "Deploy token with read_package_registry scope"
condition(:read_package_registry_deploy_token) do
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
end
desc "Deploy token with write_package_registry scope"
condition(:write_package_registry_deploy_token) do
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry
end
Add latest changes from gitlab-org/gitlab@master
2020-09-30 14:09:52 -04:00
with_scope :subject
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
Add latest changes from gitlab-org/gitlab@master
2020-09-30 14:09:52 -04:00
Add latest changes from gitlab-org/gitlab@master
2020-11-10 10:09:14 -05:00
with_scope :subject
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
Add latest changes from gitlab-org/gitlab@master
2022-06-17 08:09:20 -04:00
condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
Add latest changes from gitlab-org/gitlab@master
2021-10-29 11:11:56 -04:00
Add latest changes from gitlab-org/gitlab@master
2022-02-23 10:14:44 -05:00
condition(:group_runner_registration_allowed) do
Add latest changes from gitlab-org/gitlab@master
2022-05-06 11:09:03 -04:00
Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
Add latest changes from gitlab-org/gitlab@master
2021-12-16 16:14:09 -05:00
end
Add latest changes from gitlab-org/gitlab@master
2021-01-18 04:11:05 -05:00
rule { can?(:read_group) & design_management_enabled }.policy do
Add latest changes from gitlab-org/gitlab@master
2020-06-19 14:08:39 -04:00
enable :read_design_activity
end
EE-BACKPORT group boards
2017-12-06 14:07:47 -05:00
rule { public_group }.policy do
enable :read_group
Add latest changes from gitlab-org/gitlab@master
2019-11-07 10:06:33 -05:00
enable :read_package
EE-BACKPORT group boards
2017-12-06 14:07:47 -05:00
end
Add latest changes from gitlab-org/gitlab@master
2020-05-06 11:09:42 -04:00
rule { logged_in_viewable }.enable :read_group
Support uploads for groups
2017-12-06 06:36:11 -05:00
rule { guest }.policy do
enable :read_group
enable :upload_file
Add latest changes from gitlab-org/gitlab@master
2021-09-15 08:11:13 -04:00
enable :guest_access
Add latest changes from gitlab-org/gitlab@master
2022-02-10 01:17:41 -05:00
enable :read_release
Support uploads for groups
2017-12-06 06:36:11 -05:00
end
Add latest changes from gitlab-org/gitlab@master
2019-10-14 11:06:07 -04:00
rule { admin }.policy do
enable :read_group
enable :update_max_artifacts_size
end
Fix users not seeing labels from private groups when being a member of a child project
2018-04-23 12:12:26 -04:00
Add latest changes from gitlab-org/gitlab@master
2020-06-29 08:09:20 -04:00
rule { can?(:read_all_resources) }.policy do
enable :read_confidential_issues
end
Fix users not seeing labels from private groups when being a member of a child project
2018-04-23 12:12:26 -04:00
rule { has_projects }.policy do
Add latest changes from gitlab-org/gitlab@master
2019-10-01 17:06:09 -04:00
enable :read_group
end
rule { can?(:read_group) }.policy do
enable :read_milestone
Add latest changes from gitlab-org/gitlab@master
2021-03-02 19:10:50 -05:00
enable :read_issue_board_list
Fix users not seeing labels from private groups when being a member of a child project
2018-04-23 12:12:26 -04:00
enable :read_label
Add latest changes from gitlab-org/gitlab@master
2021-03-02 19:10:50 -05:00
enable :read_issue_board
Add latest changes from gitlab-org/gitlab@master
2020-09-14 11:09:28 -04:00
enable :read_group_member
Add latest changes from gitlab-org/gitlab@master
2020-11-16 16:09:02 -05:00
enable :read_custom_emoji
Add latest changes from gitlab-org/gitlab@master
2021-08-24 14:10:53 -04:00
enable :read_counts
Fix users not seeing labels from private groups when being a member of a child project
2018-04-23 12:12:26 -04:00
end
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
Add latest changes from gitlab-org/gitlab@master
2021-08-24 14:10:53 -04:00
rule { ~public_group & ~has_access }.prevent :read_counts
Add latest changes from gitlab-org/gitlab@master
2022-06-01 17:08:14 -04:00
rule { ~can_read_group_member }.policy do
prevent :read_group_member
end
Add latest changes from gitlab-org/gitlab@master
2020-06-19 14:08:39 -04:00
rule { ~can?(:read_group) }.policy do
prevent :read_design_activity
end
Introduce :read_namespace access policy for namespace and group
2017-11-23 09:47:15 -05:00
rule { has_access }.enable :read_namespace
Add latest changes from gitlab-org/gitlab@master
2019-11-07 10:06:33 -05:00
rule { developer }.policy do
Add latest changes from gitlab-org/gitlab@master
2020-04-07 14:09:19 -04:00
enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
Add latest changes from gitlab-org/gitlab@master
2020-11-16 16:09:02 -05:00
enable :create_custom_emoji
Add latest changes from gitlab-org/gitlab@master
2021-07-26 17:08:38 -04:00
enable :create_package
Add latest changes from gitlab-org/gitlab@master
2021-09-15 08:11:13 -04:00
enable :developer_access
Add latest changes from gitlab-org/gitlab@master
2021-10-29 11:11:56 -04:00
enable :admin_crm_organization
enable :admin_crm_contact
Add latest changes from gitlab-org/gitlab@master
2022-01-27 19:14:06 -05:00
enable :read_cluster
Add latest changes from gitlab-org/gitlab@master
2019-11-07 10:06:33 -05:00
end
Bring one group board to CE
2018-02-19 14:06:16 -05:00
rule { reporter }.policy do
Add latest changes from gitlab-org/gitlab@master
2020-04-21 11:21:10 -04:00
enable :reporter_access
Add group level container repository endpoints API endpoints for requesting container repositories and container repositories with their tag information are enabled for users that want to specify the group containing the repository rather than the specific project.
2019-08-05 16:00:50 -04:00
enable :read_container_image
Add latest changes from gitlab-org/gitlab@master
2022-07-13 20:08:59 -04:00
enable :read_harbor_registry
Add latest changes from gitlab-org/gitlab@master
2021-03-02 19:10:50 -05:00
enable :admin_issue_board
Bring one group board to CE
2018-02-19 14:06:16 -05:00
enable :admin_label
Add latest changes from gitlab-org/gitlab@master
2022-04-29 14:08:18 -04:00
enable :admin_milestone
Add latest changes from gitlab-org/gitlab@master
2021-03-02 19:10:50 -05:00
enable :admin_issue_board_list
Bring one group board to CE
2018-02-19 14:06:16 -05:00
enable :admin_issue
Add latest changes from gitlab-org/gitlab@master
2020-04-07 14:09:19 -04:00
enable :read_metrics_dashboard_annotation
Add latest changes from gitlab-org/gitlab@master
2020-07-07 02:09:06 -04:00
enable :read_prometheus
Add latest changes from gitlab-org/gitlab@master
2020-09-25 14:09:46 -04:00
enable :read_package
Add latest changes from gitlab-org/gitlab@master
2022-01-11 07:14:06 -05:00
enable :read_crm_organization
enable :read_crm_contact
Bring one group board to CE
2018-02-19 14:06:16 -05:00
end
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
Resolve "Rename the `Master` role to `Maintainer`" Backend
2018-07-11 10:36:08 -04:00
rule { maintainer }.policy do
Add latest changes from gitlab-org/gitlab@master
2021-07-26 17:08:38 -04:00
enable :destroy_package
Add latest changes from gitlab-org/gitlab@master
2022-05-11 08:09:03 -04:00
enable :admin_package
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
enable :create_projects
Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Implement CURD Rename codes related to VariableGroup and VariableProject FE part Remove unneccesary changes Make Fe code up-to-date Add protected flag to migration file Protected group variables essential package Update schema Improve doc Fix logic and spec for models Fix logic and spec for controllers Fix logic and spec for views(pre feature) Add feature spec Fixed bugs. placeholder. reveal button. doc. Add changelog Remove unnecessary comment godfat nice catches Improve secret_variables_for arctecture Fix spec Fix StaticAnlysys & path_regex spec Revert "Improve secret_variables_for arctecture" This reverts commit c3216ca212322ecf6ca534cb12ce75811a4e77f1. Use ayufan suggestion for secret_variables_for Use find instead of find_by Fix spec message for variable is invalid Fix spec remove variable.group_id = group.id godffat spec nitpicks Use include Gitlab::Routing.url_helpers for presenter spec
2017-05-03 14:51:55 -04:00
enable :admin_pipeline
enable :admin_build
Allow users to add cluster with ancestors Include a new policy in Clusterables (projects and groups), which checks if another cluster can be added clusterable_has_cluster? and multiple_clusters_available private methods will be overriden in EE Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758
2018-12-04 16:38:15 -05:00
enable :add_cluster
Add policy for clusters on group level - maintainer for group can read, create, update, and admin cluster - project user, at any level, cannot do anything with group cluster
2018-10-14 20:42:02 -04:00
enable :create_cluster
enable :update_cluster
enable :admin_cluster
Add latest changes from gitlab-org/gitlab@master
2020-03-11 02:10:11 -04:00
enable :read_deploy_token
Add latest changes from gitlab-org/gitlab@master
2020-09-01 08:11:01 -04:00
enable :create_jira_connect_subscription
Add latest changes from gitlab-org/gitlab@master
2021-09-15 08:11:13 -04:00
enable :maintainer_access
Add latest changes from gitlab-org/gitlab@master
2022-07-28 11:09:27 -04:00
enable :read_upload
enable :destroy_upload
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
end
rule { owner }.policy do
enable :admin_group
enable :admin_namespace
enable :admin_group_member
enable :change_visibility_level
Use policies to determine if attributes can be set in the API This is more idiomatic than checking membership explicitly.
2018-08-22 08:10:54 -04:00
Add latest changes from gitlab-org/gitlab@master
2022-01-10 22:16:07 -05:00
enable :read_group_runners
enable :admin_group_runners
enable :register_group_runners
Use policies to determine if attributes can be set in the API This is more idiomatic than checking membership explicitly.
2018-08-22 08:10:54 -04:00
enable :set_note_created_at
Allow disabling group/project email notifications - Adds UI to configure in group and project settings - Removes notification configuration for users when disabled at group or project level
2019-08-15 13:37:36 -04:00
enable :set_emails_disabled
Add latest changes from gitlab-org/gitlab@master
2022-08-25 20:10:28 -04:00
enable :change_prevent_sharing_groups_outside_hierarchy
Add latest changes from gitlab-org/gitlab@master
2022-09-06 14:10:28 -04:00
enable :set_show_diff_preview_in_email
Add latest changes from gitlab-org/gitlab@master
2021-07-14 17:09:44 -04:00
enable :change_new_user_signups_cap
Add latest changes from gitlab-org/gitlab@master
2020-04-24 05:09:44 -04:00
enable :update_default_branch_protection
Add latest changes from gitlab-org/gitlab@master
2020-07-01 17:08:51 -04:00
enable :create_deploy_token
enable :destroy_deploy_token
Add latest changes from gitlab-org/gitlab@master
2021-10-14 14:13:40 -04:00
enable :update_runners_registration_token
Add latest changes from gitlab-org/gitlab@master
2021-09-15 08:11:13 -04:00
enable :owner_access
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
end
Create cross project group features This allows us to check specific abilities in views, while still enabling/disabling them at once.
2018-07-03 08:08:46 -04:00
rule { can?(:read_nested_project_resources) }.policy do
enable :read_group_activity
enable :read_group_issues
enable :read_group_boards
enable :read_group_labels
enable :read_group_milestones
enable :read_group_merge_requests
Add latest changes from gitlab-org/gitlab@master
2020-08-06 17:10:15 -04:00
enable :read_group_build_report_results
Create cross project group features This allows us to check specific abilities in views, while still enabling/disabling them at once.
2018-07-03 08:08:46 -04:00
end
rule { can?(:read_cross_project) & can?(:read_group) }.policy do
enable :read_nested_project_resources
end
Remove code related to object hierarchy in MySQL These are not required because MySQL is not supported anymore
2019-07-24 05:20:54 -04:00
rule { owner }.enable :create_subgroup
rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
rule { public_group | logged_in_viewable }.enable :view_globally
rule { default }.enable(:request_access)
rule { ~request_access_enabled }.prevent :request_access
rule { ~can?(:view_globally) }.prevent :request_access
rule { has_access }.prevent :request_access
Optimize policy rule
2017-09-07 12:42:15 -04:00
rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser.
2017-09-01 21:00:46 -04:00
Add part of needed code Add columns to store project creation settings Add project creation level column in groups and default project creation column in application settings Remove obsolete line from schema Update migration with project_creation_level column existence check Rename migrations to avoid conflicts Update migration methods Update migration method
2019-04-05 14:49:46 -04:00
rule { developer & developer_maintainer_access }.enable :create_projects
rule { create_projects_disabled }.prevent :create_projects
Add latest changes from gitlab-org/gitlab@master
2020-11-27 07:09:14 -05:00
rule { owner | admin }.policy do
enable :owner_access
enable :read_statistics
end
Expose namespace storage statistics with GraphQL Root namespaces have storage statistics. This commit allows namespace owners to get those stats via GraphQL queries like the following one { namespace(fullPath: "a_namespace_path") { rootStorageStatistics { storageSize repositorySize lfsObjectsSize buildArtifactsSize packagesSize wikiSize } } }
2019-08-22 18:08:28 -04:00
Require maintainer permission to transfer projects
2019-09-23 03:42:26 -04:00
rule { maintainer & can?(:create_projects) }.enable :transfer_projects
Add latest changes from gitlab-org/gitlab@master
2020-09-25 14:09:46 -04:00
rule { read_package_registry_deploy_token }.policy do
enable :read_package
enable :read_group
end
rule { write_package_registry_deploy_token }.policy do
enable :create_package
Add latest changes from gitlab-org/gitlab@master
2020-11-16 16:09:02 -05:00
enable :read_package
Add latest changes from gitlab-org/gitlab@master
2020-09-25 14:09:46 -04:00
enable :read_group
end
Add latest changes from gitlab-org/gitlab@master
2021-08-04 05:08:21 -04:00
rule { dependency_proxy_access_allowed & dependency_proxy_available }
Add latest changes from gitlab-org/gitlab@master
2020-11-13 16:09:31 -05:00
.enable :read_dependency_proxy
Add latest changes from gitlab-org/gitlab@master
2022-05-10 23:07:57 -04:00
rule { maintainer & dependency_proxy_available }.policy do
Add latest changes from gitlab-org/gitlab@master
2021-09-13 20:10:45 -04:00
enable :admin_dependency_proxy
end
Add latest changes from gitlab-org/gitlab@master
2020-11-13 16:09:31 -05:00
Add latest changes from gitlab-org/gitlab@master
2022-01-07 19:14:32 -05:00
rule { project_bot }.enable :project_bot_access
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
enable :read_resource_access_tokens
enable :destroy_resource_access_tokens
Add latest changes from gitlab-org/gitlab@master
2021-04-05 23:09:02 -04:00
enable :admin_setting_to_allow_project_access_token_creation
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
end
rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
enable :create_resource_access_tokens
Add latest changes from gitlab-org/gitlab@master
2020-09-30 14:09:52 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2022-01-07 19:14:32 -05:00
rule { can?(:project_bot_access) }.policy do
prevent :create_resource_access_tokens
end
Add latest changes from gitlab-org/gitlab@master
2020-11-10 10:09:14 -05:00
rule { support_bot & has_project_with_service_desk_enabled }.policy do
enable :read_label
end
Add latest changes from gitlab-org/gitlab@master
2021-10-29 11:11:56 -04:00
rule { ~crm_enabled }.policy do
prevent :read_crm_contact
prevent :read_crm_organization
prevent :admin_crm_contact
prevent :admin_crm_organization
end
Add latest changes from gitlab-org/gitlab@master
2022-02-23 10:14:44 -05:00
rule { ~admin & ~group_runner_registration_allowed }.policy do
Add latest changes from gitlab-org/gitlab@master
2021-12-16 16:14:09 -05:00
prevent :register_group_runners
end
Add latest changes from gitlab-org/gitlab@master
2022-05-11 05:08:10 -04:00
rule { migration_bot }.policy do
enable :read_resource_access_tokens
enable :destroy_resource_access_tokens
end
Add latest changes from gitlab-org/gitlab@master
2021-08-11 17:10:33 -04:00
def access_level(for_any_session: false)
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
return GroupMember::NO_ACCESS if @user.nil?
Add latest changes from gitlab-org/gitlab@master
2020-08-18 14:10:10 -04:00
return GroupMember::NO_ACCESS unless user_is_user?
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
Add latest changes from gitlab-org/gitlab@master
2021-08-11 17:10:33 -04:00
@access_level ||= lookup_access_level!(for_any_session: for_any_session)
CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-05-06 12:18:03 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2021-08-11 17:10:33 -04:00
def lookup_access_level!(for_any_session: false)
CE changes for SSO web enforcement Adds two methods for us to extend in EE: - OmniauthCallbacksController#link_identity - GroupPolicy#lookup_access_level!
2019-05-06 12:18:03 -04:00
@subject.max_member_access_for_user(@user)
convert all the policies to DeclarativePolicy
2017-04-06 17:06:42 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2020-08-18 14:10:10 -04:00
private
def user_is_user?
user.is_a?(User)
end
Add latest changes from gitlab-org/gitlab@master
2020-09-30 14:09:52 -04:00
def group
@subject
end
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
def resource_access_token_feature_available?
Add latest changes from gitlab-org/gitlab@master
2020-09-30 14:09:52 -04:00
true
end
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
Add latest changes from gitlab-org/gitlab@master
2022-06-01 17:08:14 -04:00
def can_read_group_member?
!(@subject.private? && access_level == GroupMember::NO_ACCESS)
end
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
def resource_access_token_creation_allowed?
Add latest changes from gitlab-org/gitlab@master
2021-04-05 23:09:02 -04:00
resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
Add latest changes from gitlab-org/gitlab@master
2021-03-26 17:09:22 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2021-08-04 05:08:21 -04:00
def valid_dependency_proxy_deploy_token
@user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
end
port groups
2016-08-16 19:28:47 -04:00
end
Add latest changes from gitlab-org/gitlab@master
2019-09-13 09:26:31 -04:00
Add latest changes from gitlab-org/gitlab@master
2021-05-11 17:10:21 -04:00
GroupPolicy.prepend_mod_with('GroupPolicy')
Copy permalink