debian-mirror-gitlab/app/policies/group_policy.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

400 lines
12 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2022-01-26 12:08:38 +05:30
class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
2019-12-04 20:38:33 +05:30
include FindGroupProjects
2017-09-10 17:25:29 +05:30
desc "Group is public"
with_options scope: :subject, score: 0
condition(:public_group) { @subject.public? }
with_score 0
condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }
condition(:has_access) { access_level != GroupMember::NO_ACCESS }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
condition(:guest) { access_level >= GroupMember::GUEST }
2018-03-17 18:26:18 +05:30
condition(:developer) { access_level >= GroupMember::DEVELOPER }
2017-09-10 17:25:29 +05:30
condition(:owner) { access_level >= GroupMember::OWNER }
2018-11-18 11:00:15 +05:30
condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
2017-09-10 17:25:29 +05:30
condition(:reporter) { access_level >= GroupMember::REPORTER }
2016-09-29 09:46:39 +05:30
2018-03-17 18:26:18 +05:30
condition(:has_parent, scope: :subject) { @subject.has_parent? }
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
2023-01-13 00:05:48 +05:30
condition(:migration_bot, scope: :user) { @user&.migration_bot? }
2022-06-02 21:05:25 +05:30
condition(:can_read_group_member) { can_read_group_member? }
2018-03-17 18:26:18 +05:30
2022-03-02 08:16:31 +05:30
desc "User is a project bot"
condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
2017-09-10 17:25:29 +05:30
condition(:has_projects) do
2019-12-04 20:38:33 +05:30
group_projects_for(user: @user, group: @subject).any?
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
with_options scope: :subject, score: 0
condition(:request_access_enabled) { @subject.request_access_enabled }
2022-11-25 23:54:43 +05:30
condition(:create_projects_disabled, scope: :subject) do
2019-07-07 11:18:12 +05:30
@subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
end
2022-11-25 23:54:43 +05:30
condition(:developer_maintainer_access, scope: :subject) do
2019-07-07 11:18:12 +05:30
@subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
end
2022-11-25 23:54:43 +05:30
condition(:maintainer_can_create_group, scope: :subject) do
2019-10-12 21:52:04 +05:30
@subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
end
2020-07-28 23:09:34 +05:30
condition(:design_management_enabled) do
group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
end
2022-11-25 23:54:43 +05:30
condition(:dependency_proxy_available, scope: :subject) do
2021-01-29 00:20:46 +05:30
@subject.dependency_proxy_feature_available?
end
2021-10-27 15:23:28 +05:30
condition(:dependency_proxy_access_allowed) do
2022-07-16 23:28:13 +05:30
access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
2021-10-27 15:23:28 +05:30
end
2022-11-25 23:54:43 +05:30
condition(:observability_enabled, scope: :subject) do
2022-10-11 01:57:18 +05:30
Feature.enabled?(:observability_group_tab, @subject)
end
2021-01-03 14:25:43 +05:30
desc "Deploy token with read_package_registry scope"
condition(:read_package_registry_deploy_token) do
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
end
desc "Deploy token with write_package_registry scope"
condition(:write_package_registry_deploy_token) do
@user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry
end
with_scope :subject
2021-04-29 21:17:54 +05:30
condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
2023-06-09 08:11:10 +05:30
condition(:resource_access_token_create_feature_available) { resource_access_token_create_feature_available? }
2021-01-03 14:25:43 +05:30
2021-01-29 00:20:46 +05:30
with_scope :subject
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
2022-11-25 23:54:43 +05:30
with_scope :subject
2022-07-23 23:45:48 +05:30
condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
2021-12-11 22:18:48 +05:30
2023-06-09 08:11:10 +05:30
condition(:create_runner_workflow_enabled) do
Feature.enabled?(:create_runner_workflow_for_namespace, group)
end
condition(:achievements_enabled, scope: :subject) do
Feature.enabled?(:achievements, @subject)
end
condition(:group_runner_registration_allowed, scope: :subject) do
Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled?
2022-07-16 23:28:13 +05:30
end
2021-03-08 18:12:59 +05:30
rule { can?(:read_group) & design_management_enabled }.policy do
2020-07-28 23:09:34 +05:30
enable :read_design_activity
end
2018-03-17 18:26:18 +05:30
rule { public_group }.policy do
enable :read_group
2019-12-26 22:10:19 +05:30
enable :read_package
2018-03-17 18:26:18 +05:30
end
2020-05-24 23:13:21 +05:30
rule { logged_in_viewable }.enable :read_group
2018-03-17 18:26:18 +05:30
rule { guest }.policy do
enable :read_group
enable :upload_file
2021-11-11 11:23:49 +05:30
enable :guest_access
2022-04-04 11:22:00 +05:30
enable :read_release
2018-03-17 18:26:18 +05:30
end
2019-12-21 20:55:43 +05:30
rule { admin }.policy do
enable :read_group
enable :update_max_artifacts_size
end
2018-05-09 12:01:36 +05:30
2020-07-28 23:09:34 +05:30
rule { can?(:read_all_resources) }.policy do
enable :read_confidential_issues
end
2018-05-09 12:01:36 +05:30
rule { has_projects }.policy do
2019-12-21 20:55:43 +05:30
enable :read_group
end
rule { can?(:read_group) }.policy do
enable :read_milestone
2021-04-17 20:07:23 +05:30
enable :read_issue_board_list
2018-05-09 12:01:36 +05:30
enable :read_label
2021-04-17 20:07:23 +05:30
enable :read_issue_board
2020-11-24 15:15:51 +05:30
enable :read_group_member
2021-01-29 00:20:46 +05:30
enable :read_custom_emoji
2021-11-11 11:23:49 +05:30
enable :read_counts
2018-05-09 12:01:36 +05:30
end
2017-09-10 17:25:29 +05:30
2023-06-09 08:11:10 +05:30
rule { can?(:read_group) & achievements_enabled }.policy do
enable :read_achievement
end
rule { can?(:maintainer_access) & achievements_enabled }.policy do
enable :admin_achievement
enable :award_achievement
end
2021-11-11 11:23:49 +05:30
rule { ~public_group & ~has_access }.prevent :read_counts
2022-06-02 21:05:25 +05:30
rule { ~can_read_group_member }.policy do
prevent :read_group_member
end
2020-07-28 23:09:34 +05:30
rule { ~can?(:read_group) }.policy do
prevent :read_design_activity
end
2018-03-17 18:26:18 +05:30
rule { has_access }.enable :read_namespace
2019-12-26 22:10:19 +05:30
rule { developer }.policy do
2023-06-09 08:11:10 +05:30
enable :admin_metrics_dashboard_annotation
2021-01-29 00:20:46 +05:30
enable :create_custom_emoji
2021-10-27 15:23:28 +05:30
enable :create_package
2021-11-11 11:23:49 +05:30
enable :developer_access
2021-12-11 22:18:48 +05:30
enable :admin_crm_organization
enable :admin_crm_contact
2022-04-04 11:22:00 +05:30
enable :read_cluster
2022-11-25 23:54:43 +05:30
enable :read_group_all_available_runners
2023-06-09 08:11:10 +05:30
enable :use_k8s_proxies
2019-12-26 22:10:19 +05:30
end
2018-03-27 19:54:05 +05:30
rule { reporter }.policy do
2020-04-22 19:07:51 +05:30
enable :reporter_access
2019-10-12 21:52:04 +05:30
enable :read_container_image
2022-08-13 15:12:31 +05:30
enable :read_harbor_registry
2021-04-17 20:07:23 +05:30
enable :admin_issue_board
2018-03-27 19:54:05 +05:30
enable :admin_label
2022-07-16 23:28:13 +05:30
enable :admin_milestone
2021-04-17 20:07:23 +05:30
enable :admin_issue_board_list
2018-03-27 19:54:05 +05:30
enable :admin_issue
2020-04-22 19:07:51 +05:30
enable :read_metrics_dashboard_annotation
2020-07-28 23:09:34 +05:30
enable :read_prometheus
2021-01-03 14:25:43 +05:30
enable :read_package
2022-03-02 08:16:31 +05:30
enable :read_crm_organization
enable :read_crm_contact
2018-03-27 19:54:05 +05:30
end
2017-09-10 17:25:29 +05:30
2018-11-18 11:00:15 +05:30
rule { maintainer }.policy do
2021-10-27 15:23:28 +05:30
enable :destroy_package
2022-07-16 23:28:13 +05:30
enable :admin_package
2017-09-10 17:25:29 +05:30
enable :create_projects
2023-06-09 08:11:10 +05:30
enable :import_projects
2017-09-10 17:25:29 +05:30
enable :admin_pipeline
enable :admin_build
2019-02-15 15:39:39 +05:30
enable :add_cluster
enable :create_cluster
enable :update_cluster
enable :admin_cluster
2020-04-08 14:13:33 +05:30
enable :read_deploy_token
2020-11-24 15:15:51 +05:30
enable :create_jira_connect_subscription
2021-11-11 11:23:49 +05:30
enable :maintainer_access
2022-08-27 11:52:29 +05:30
enable :read_upload
enable :destroy_upload
2017-09-10 17:25:29 +05:30
end
rule { owner }.policy do
enable :admin_group
enable :admin_namespace
enable :admin_group_member
enable :change_visibility_level
2018-11-20 20:47:30 +05:30
2023-06-09 08:11:10 +05:30
enable :read_usage_quotas
2022-03-02 08:16:31 +05:30
enable :read_group_runners
enable :admin_group_runners
enable :register_group_runners
2023-06-09 08:11:10 +05:30
enable :create_group_runners
2022-03-02 08:16:31 +05:30
2018-11-20 20:47:30 +05:30
enable :set_note_created_at
2019-10-12 21:52:04 +05:30
enable :set_emails_disabled
2022-10-11 01:57:18 +05:30
enable :change_prevent_sharing_groups_outside_hierarchy
enable :set_show_diff_preview_in_email
2021-09-30 23:02:18 +05:30
enable :change_new_user_signups_cap
2020-05-24 23:13:21 +05:30
enable :update_default_branch_protection
2020-07-02 01:45:43 +05:30
enable :create_deploy_token
enable :destroy_deploy_token
2021-11-18 22:05:49 +05:30
enable :update_runners_registration_token
2021-11-11 11:23:49 +05:30
enable :owner_access
2022-11-25 23:54:43 +05:30
enable :read_billing
enable :edit_billing
2017-09-10 17:25:29 +05:30
end
2018-11-08 19:23:39 +05:30
rule { can?(:read_nested_project_resources) }.policy do
enable :read_group_activity
enable :read_group_issues
enable :read_group_boards
enable :read_group_labels
enable :read_group_milestones
enable :read_group_merge_requests
2020-10-24 23:57:45 +05:30
enable :read_group_build_report_results
2018-11-08 19:23:39 +05:30
end
rule { can?(:read_cross_project) & can?(:read_group) }.policy do
enable :read_nested_project_resources
end
2019-10-12 21:52:04 +05:30
rule { owner }.enable :create_subgroup
rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
2017-09-10 17:25:29 +05:30
rule { public_group | logged_in_viewable }.enable :view_globally
rule { default }.enable(:request_access)
rule { ~request_access_enabled }.prevent :request_access
rule { ~can?(:view_globally) }.prevent :request_access
rule { has_access }.prevent :request_access
2023-06-09 08:11:10 +05:30
rule do
owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock)
end.enable :change_share_with_group_lock
2018-03-17 18:26:18 +05:30
2019-07-07 11:18:12 +05:30
rule { developer & developer_maintainer_access }.enable :create_projects
2023-06-09 08:11:10 +05:30
rule { create_projects_disabled }.policy do
prevent :create_projects
prevent :import_projects
end
2019-07-07 11:18:12 +05:30
2021-02-22 17:27:13 +05:30
rule { owner | admin }.policy do
enable :owner_access
enable :read_statistics
end
2019-12-04 20:38:33 +05:30
2023-06-09 08:11:10 +05:30
rule { maintainer & can?(:create_projects) }.policy do
enable :transfer_projects
enable :import_projects
end
2019-10-31 01:37:42 +05:30
2021-01-03 14:25:43 +05:30
rule { read_package_registry_deploy_token }.policy do
enable :read_package
enable :read_group
end
rule { write_package_registry_deploy_token }.policy do
enable :create_package
2021-01-29 00:20:46 +05:30
enable :read_package
2021-01-03 14:25:43 +05:30
enable :read_group
end
2021-10-27 15:23:28 +05:30
rule { dependency_proxy_access_allowed & dependency_proxy_available }
2021-01-29 00:20:46 +05:30
.enable :read_dependency_proxy
2022-07-16 23:28:13 +05:30
rule { maintainer & dependency_proxy_available }.policy do
2021-11-11 11:23:49 +05:30
enable :admin_dependency_proxy
end
2021-01-29 00:20:46 +05:30
2022-03-02 08:16:31 +05:30
rule { project_bot }.enable :project_bot_access
2021-04-29 21:17:54 +05:30
rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
enable :read_resource_access_tokens
enable :destroy_resource_access_tokens
2023-01-10 11:22:00 +05:30
end
2023-06-09 08:11:10 +05:30
rule { can?(:admin_group) & resource_access_token_create_feature_available }.policy do
enable :admin_setting_to_allow_resource_access_token_creation
2021-04-29 21:17:54 +05:30
end
rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
enable :create_resource_access_tokens
2021-01-03 14:25:43 +05:30
end
2022-03-02 08:16:31 +05:30
rule { can?(:project_bot_access) }.policy do
prevent :create_resource_access_tokens
end
2023-01-13 00:05:48 +05:30
rule { can?(:admin_group_member) }.policy do
# ability to read, approve or reject member access requests of other users
enable :admin_member_access_request
end
2021-01-29 00:20:46 +05:30
rule { support_bot & has_project_with_service_desk_enabled }.policy do
enable :read_label
end
2021-12-11 22:18:48 +05:30
rule { ~crm_enabled }.policy do
prevent :read_crm_contact
prevent :read_crm_organization
prevent :admin_crm_contact
prevent :admin_crm_organization
end
2022-05-07 20:08:51 +05:30
rule { ~admin & ~group_runner_registration_allowed }.policy do
2022-01-26 12:08:38 +05:30
prevent :register_group_runners
2023-06-09 08:11:10 +05:30
prevent :create_group_runners
2022-01-26 12:08:38 +05:30
end
2022-07-16 23:28:13 +05:30
rule { migration_bot }.policy do
enable :read_resource_access_tokens
enable :destroy_resource_access_tokens
end
2022-10-11 01:57:18 +05:30
rule { can?(:developer_access) & observability_enabled }.policy do
enable :read_observability
end
2023-06-09 08:11:10 +05:30
rule { can?(:maintainer_access) & observability_enabled }.policy do
enable :admin_observability
end
rule { ~create_runner_workflow_enabled }.policy do
prevent :create_group_runners
end
# Should be matched with ProjectPolicy#read_internal_note
rule { admin | reporter }.enable :read_internal_note
2021-10-27 15:23:28 +05:30
def access_level(for_any_session: false)
2017-09-10 17:25:29 +05:30
return GroupMember::NO_ACCESS if @user.nil?
2020-08-19 02:56:42 +05:30
return GroupMember::NO_ACCESS unless user_is_user?
2017-09-10 17:25:29 +05:30
2021-10-27 15:23:28 +05:30
@access_level ||= lookup_access_level!(for_any_session: for_any_session)
2019-07-31 22:56:46 +05:30
end
2021-10-27 15:23:28 +05:30
def lookup_access_level!(for_any_session: false)
2019-07-31 22:56:46 +05:30
@subject.max_member_access_for_user(@user)
2017-09-10 17:25:29 +05:30
end
2020-08-19 02:56:42 +05:30
private
def user_is_user?
user.is_a?(User)
end
2021-01-03 14:25:43 +05:30
def group
@subject
end
2021-04-29 21:17:54 +05:30
def resource_access_token_feature_available?
2021-01-03 14:25:43 +05:30
true
end
2021-04-29 21:17:54 +05:30
2023-01-10 11:22:00 +05:30
def resource_access_token_create_feature_available?
true
end
2022-06-02 21:05:25 +05:30
def can_read_group_member?
!(@subject.private? && access_level == GroupMember::NO_ACCESS)
end
2021-04-29 21:17:54 +05:30
def resource_access_token_creation_allowed?
2023-01-10 11:22:00 +05:30
resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
2021-04-29 21:17:54 +05:30
end
2021-10-27 15:23:28 +05:30
def valid_dependency_proxy_deploy_token
@user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
end
2016-09-29 09:46:39 +05:30
end
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
GroupPolicy.prepend_mod_with('GroupPolicy')