debian-mirror-gitlab/app/policies/global_policy.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

142 lines
3.5 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2016-09-29 09:46:39 +05:30
class GlobalPolicy < BasePolicy
2017-09-10 17:25:29 +05:30
desc "User is an internal user"
with_options scope: :user, score: 0
2018-10-15 14:42:47 +05:30
condition(:internal) { @user&.internal? }
2017-09-10 17:25:29 +05:30
desc "User's access has been locked"
with_options scope: :user, score: 0
2018-10-15 14:42:47 +05:30
condition(:access_locked) { @user&.access_locked? }
2017-09-10 17:25:29 +05:30
2022-03-02 08:16:31 +05:30
condition(:can_create_fork, scope: :user) { @user && @user.forkable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
2018-10-15 14:42:47 +05:30
condition(:required_terms_not_accepted, scope: :user, score: 0) do
@user&.required_terms_not_accepted?
end
2018-03-17 18:26:18 +05:30
2021-06-02 17:11:27 +05:30
condition(:password_expired, scope: :user) do
2021-07-02 01:05:55 +05:30
@user&.password_expired_if_applicable?
2021-06-02 17:11:27 +05:30
end
2020-04-22 19:07:51 +05:30
condition(:project_bot, scope: :user) { @user&.project_bot? }
2020-05-24 23:13:21 +05:30
condition(:migration_bot, scope: :user) { @user&.migration_bot? }
2020-04-22 19:07:51 +05:30
2023-07-09 08:55:56 +05:30
condition(:create_runner_workflow_enabled, scope: :user) do
2023-05-27 22:25:52 +05:30
Feature.enabled?(:create_runner_workflow_for_admin, @user)
2023-04-23 21:23:45 +05:30
end
2023-05-27 22:25:52 +05:30
condition(:service_account, scope: :user) { @user&.service_account? }
2017-09-10 17:25:29 +05:30
rule { anonymous }.policy do
prevent :log_in
prevent :receive_notifications
prevent :use_quick_actions
prevent :create_group
2021-04-28 17:22:55 +05:30
prevent :execute_graphql_mutation
2017-09-10 17:25:29 +05:30
end
rule { default }.policy do
enable :log_in
enable :access_api
enable :access_git
enable :receive_notifications
enable :use_quick_actions
2019-07-31 22:56:46 +05:30
enable :use_slash_commands
2021-04-28 17:22:55 +05:30
enable :execute_graphql_mutation
2017-09-10 17:25:29 +05:30
end
2020-02-01 01:16:34 +05:30
rule { inactive }.policy do
prevent :log_in
prevent :access_api
prevent :access_git
prevent :use_slash_commands
end
2017-09-10 17:25:29 +05:30
rule { blocked | internal }.policy do
prevent :log_in
prevent :access_api
prevent :receive_notifications
2019-07-31 22:56:46 +05:30
prevent :use_slash_commands
2017-09-10 17:25:29 +05:30
end
2021-04-28 17:22:55 +05:30
rule { ~can?(:access_api) }.prevent :execute_graphql_mutation
2023-07-09 08:55:56 +05:30
rule { blocked | (internal & ~migration_bot & ~security_bot & ~security_policy_bot) }.policy do
2020-05-24 23:13:21 +05:30
prevent :access_git
end
2023-07-09 08:55:56 +05:30
rule { security_policy_bot }.policy do
enable :access_git
end
2023-05-27 22:25:52 +05:30
rule { project_bot | service_account }.policy do
2020-04-22 19:07:51 +05:30
prevent :log_in
prevent :receive_notifications
end
2019-12-21 20:55:43 +05:30
rule { deactivated }.policy do
prevent :access_git
prevent :access_api
prevent :receive_notifications
prevent :use_slash_commands
end
2018-10-15 14:42:47 +05:30
rule { required_terms_not_accepted }.policy do
prevent :access_api
prevent :access_git
end
2021-06-02 17:11:27 +05:30
rule { password_expired }.policy do
prevent :access_api
prevent :access_git
prevent :use_slash_commands
end
2017-09-10 17:25:29 +05:30
rule { can_create_group }.policy do
enable :create_group
end
2020-05-24 23:13:21 +05:30
rule { can?(:create_group) }.policy do
enable :create_group_with_default_branch_protection
end
2018-03-17 18:26:18 +05:30
rule { can_create_fork }.policy do
enable :create_fork
end
2017-09-10 17:25:29 +05:30
rule { access_locked }.policy do
prevent :log_in
2019-07-31 22:56:46 +05:30
prevent :use_slash_commands
2017-09-10 17:25:29 +05:30
end
rule { ~(anonymous & restricted_public_level) }.policy do
enable :read_users_list
2016-09-29 09:46:39 +05:30
end
2018-03-17 18:26:18 +05:30
2019-07-07 11:18:12 +05:30
rule { ~anonymous }.policy do
enable :read_instance_metadata
2020-03-13 15:44:24 +05:30
enable :create_snippet
2019-07-07 11:18:12 +05:30
end
2018-03-17 18:26:18 +05:30
rule { admin }.policy do
enable :read_custom_attribute
enable :update_custom_attribute
2021-01-03 14:25:43 +05:30
enable :approve_user
2021-02-22 17:27:13 +05:30
enable :reject_user
2021-04-17 20:07:23 +05:30
enable :read_usage_trends_measurement
2023-06-20 00:43:36 +05:30
enable :create_instance_runner
2023-04-23 21:23:45 +05:30
end
rule { ~create_runner_workflow_enabled }.policy do
2023-06-20 00:43:36 +05:30
prevent :create_instance_runner
2018-03-17 18:26:18 +05:30
end
2020-01-01 13:55:28 +05:30
2020-07-28 23:09:34 +05:30
# We can't use `read_statistics` because the user may have different permissions for different projects
rule { admin }.enable :use_project_statistics_filters
2020-03-13 15:44:24 +05:30
rule { external_user }.prevent :create_snippet
2016-09-29 09:46:39 +05:30
end
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
GlobalPolicy.prepend_mod_with('GlobalPolicy')