debian-mirror-gitlab/app/policies/project_policy.rb

549 lines
16 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2016-09-29 09:46:39 +05:30
class ProjectPolicy < BasePolicy
2018-05-09 12:01:36 +05:30
extend ClassMethods
READONLY_FEATURES_WHEN_ARCHIVED = %i[
issue
list
merge_request
label
milestone
2020-03-09 13:42:32 +05:30
snippet
2018-05-09 12:01:36 +05:30
wiki
note
pipeline
pipeline_schedule
build
trigger
environment
deployment
commit_status
container_image
pages
cluster
2019-02-15 15:39:39 +05:30
release
2018-05-09 12:01:36 +05:30
].freeze
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
desc "User is a project owner"
condition :owner do
(project.owner.present? && project.owner == @user) ||
project.group&.has_owner?(@user)
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
desc "Project has public builds enabled"
2018-05-09 12:01:36 +05:30
condition(:public_builds, scope: :subject, score: 0) { project.public_builds? }
2016-09-29 09:46:39 +05:30
2018-03-17 18:26:18 +05:30
# For guest access we use #team_member? so we can use
2017-09-10 17:25:29 +05:30
# project.members, which gets cached in subject scope.
# This is safe because team_access_level is guaranteed
# by ProjectAuthorization's validation to be at minimum
# GUEST
desc "User has guest access"
2018-03-17 18:26:18 +05:30
condition(:guest) { team_member? }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
desc "User has reporter access"
condition(:reporter) { team_access_level >= Gitlab::Access::REPORTER }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
desc "User has developer access"
condition(:developer) { team_access_level >= Gitlab::Access::DEVELOPER }
2018-11-08 19:23:39 +05:30
desc "User has maintainer access"
2018-11-18 11:00:15 +05:30
condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER }
2017-09-10 17:25:29 +05:30
desc "Project is public"
2018-05-09 12:01:36 +05:30
condition(:public_project, scope: :subject, score: 0) { project.public? }
2017-09-10 17:25:29 +05:30
desc "Project is visible to internal users"
condition(:internal_access) do
project.internal? && !user.external?
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
desc "User is a member of the group"
condition(:group_member, scope: :subject) { project_group_member? }
desc "Project is archived"
2018-05-09 12:01:36 +05:30
condition(:archived, scope: :subject, score: 0) { project.archived? }
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? }
desc "Container registry is disabled"
condition(:container_registry_disabled, scope: :subject) do
!project.container_registry_enabled
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
desc "Project has an external wiki"
2018-05-09 12:01:36 +05:30
condition(:has_external_wiki, scope: :subject, score: 0) { project.has_external_wiki? }
2017-09-10 17:25:29 +05:30
desc "Project has request access enabled"
2018-05-09 12:01:36 +05:30
condition(:request_access_enabled, scope: :subject, score: 0) { project.request_access_enabled }
2017-09-10 17:25:29 +05:30
2018-03-27 19:54:05 +05:30
desc "Has merge requests allowing pushes to user"
2018-11-08 19:23:39 +05:30
condition(:has_merge_requests_allowing_pushes) do
2018-03-27 19:54:05 +05:30
project.merge_requests_allowing_push_to_user(user).any?
end
2020-03-09 13:42:32 +05:30
with_scope :subject
condition(:forking_allowed) do
@subject.feature_available?(:forking, @user)
end
2018-10-15 14:42:47 +05:30
with_scope :global
condition(:mirror_available, score: 0) do
::Gitlab::CurrentSettings.current_application_settings.mirror_available
end
2019-07-07 11:18:12 +05:30
with_scope :subject
condition(:classification_label_authorized, score: 32) do
::Gitlab::ExternalAuthorization.access_allowed?(
@user,
@subject.external_authorization_classification_label,
@subject.full_path
)
end
2018-05-09 12:01:36 +05:30
# We aren't checking `:read_issue` or `:read_merge_request` in this case
# because it could be possible for a user to see an issuable-iid
# (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
# allowed to read the actual issue after a more expensive `:read_issue`
# check. These checks are intended to be used alongside
# `:read_project_for_iids`.
#
# `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee.
condition(:issues_visible_to_user, score: 4) do
@subject.feature_available?(:issues, @user)
end
condition(:merge_requests_visible_to_user, score: 4) do
@subject.feature_available?(:merge_requests, @user)
end
2019-02-02 18:00:53 +05:30
condition(:internal_builds_disabled) do
!@subject.builds_enabled?
end
2019-12-26 22:10:19 +05:30
condition(:user_confirmed?) do
@user && @user.confirmed?
end
2017-09-10 17:25:29 +05:30
features = %w[
merge_requests
issues
repository
snippets
wiki
builds
2018-12-05 23:21:45 +05:30
pages
2017-09-10 17:25:29 +05:30
]
features.each do |f|
# these are scored high because they are unlikely
desc "Project has #{f} disabled"
condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) }
2016-09-29 09:46:39 +05:30
end
2018-05-09 12:01:36 +05:30
# `:read_project` may be prevented in EE, but `:read_project_for_iids` should
# not.
rule { guest | admin }.enable :read_project_for_iids
2019-12-21 20:55:43 +05:30
rule { admin }.enable :update_max_artifacts_size
2017-09-10 17:25:29 +05:30
rule { guest }.enable :guest_access
rule { reporter }.enable :reporter_access
rule { developer }.enable :developer_access
2018-11-18 11:00:15 +05:30
rule { maintainer }.enable :maintainer_access
2018-03-27 19:54:05 +05:30
rule { owner | admin }.enable :owner_access
2017-09-10 17:25:29 +05:30
2018-03-27 19:54:05 +05:30
rule { can?(:owner_access) }.policy do
2017-09-10 17:25:29 +05:30
enable :guest_access
enable :reporter_access
enable :developer_access
2018-11-18 11:00:15 +05:30
enable :maintainer_access
2017-09-10 17:25:29 +05:30
enable :change_namespace
enable :change_visibility_level
enable :rename_project
enable :remove_project
enable :archive_project
enable :remove_fork_project
enable :destroy_merge_request
enable :destroy_issue
2018-11-20 20:47:30 +05:30
enable :set_issue_iid
enable :set_issue_created_at
2019-09-04 21:01:54 +05:30
enable :set_issue_updated_at
2018-11-20 20:47:30 +05:30
enable :set_note_created_at
2019-10-12 21:52:04 +05:30
enable :set_emails_disabled
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
rule { can?(:guest_access) }.policy do
enable :read_project
2018-05-09 12:01:36 +05:30
enable :create_merge_request_in
2017-09-10 17:25:29 +05:30
enable :read_board
enable :read_list
enable :read_wiki
enable :read_issue
enable :read_label
enable :read_milestone
2020-03-09 13:42:32 +05:30
enable :read_snippet
2017-09-10 17:25:29 +05:30
enable :read_project_member
enable :read_note
enable :create_project
enable :create_issue
enable :create_note
enable :upload_file
enable :read_cycle_analytics
2018-05-09 12:01:36 +05:30
enable :award_emoji
2018-12-05 23:21:45 +05:30
enable :read_pages_content
2019-07-31 22:56:46 +05:30
enable :read_release
2016-09-29 09:46:39 +05:30
end
2018-03-27 19:54:05 +05:30
# These abilities are not allowed to admins that are not members of the project,
2018-05-09 12:01:36 +05:30
# that's why they are defined separately.
2018-03-27 19:54:05 +05:30
rule { guest & can?(:download_code) }.enable :build_download_code
rule { guest & can?(:read_container_image) }.enable :build_read_container_image
2017-09-10 17:25:29 +05:30
rule { can?(:reporter_access) }.policy do
2019-09-30 21:07:59 +05:30
enable :admin_board
2017-09-10 17:25:29 +05:30
enable :download_code
2019-07-07 11:18:12 +05:30
enable :read_statistics
2017-09-10 17:25:29 +05:30
enable :download_wiki_code
2020-03-09 13:42:32 +05:30
enable :create_snippet
2017-09-10 17:25:29 +05:30
enable :update_issue
2018-11-20 20:47:30 +05:30
enable :reopen_issue
2017-09-10 17:25:29 +05:30
enable :admin_issue
enable :admin_label
enable :admin_list
enable :read_commit_status
enable :read_build
enable :read_container_image
enable :read_pipeline
enable :read_environment
enable :read_deployment
enable :read_merge_request
2019-02-15 15:39:39 +05:30
enable :read_sentry_issue
2020-03-09 13:42:32 +05:30
enable :update_sentry_issue
2019-07-07 11:18:12 +05:30
enable :read_prometheus
2016-09-29 09:46:39 +05:30
end
2018-03-27 19:54:05 +05:30
# We define `:public_user_access` separately because there are cases in gitlab-ee
# where we enable or prevent it based on other coditions.
2017-09-10 17:25:29 +05:30
rule { (~anonymous & public_project) | internal_access }.policy do
enable :public_user_access
2018-05-09 12:01:36 +05:30
enable :read_project_for_iids
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
rule { can?(:public_user_access) }.policy do
2018-03-27 19:54:05 +05:30
enable :public_access
2017-09-10 17:25:29 +05:30
enable :guest_access
2018-03-27 19:54:05 +05:30
enable :build_download_code
enable :build_read_container_image
2017-09-10 17:25:29 +05:30
enable :request_access
2016-09-29 09:46:39 +05:30
end
2020-03-09 13:42:32 +05:30
rule { (can?(:public_user_access) | can?(:reporter_access)) & forking_allowed }.policy do
enable :fork_project
end
2017-09-10 17:25:29 +05:30
rule { owner | admin | guest | group_member }.prevent :request_access
rule { ~request_access_enabled }.prevent :request_access
2019-02-15 15:39:39 +05:30
rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
2017-09-10 17:25:29 +05:30
rule { can?(:developer_access) }.policy do
2019-09-30 21:07:59 +05:30
enable :admin_board
2017-09-10 17:25:29 +05:30
enable :admin_merge_request
2018-03-17 18:26:18 +05:30
enable :admin_milestone
2017-09-10 17:25:29 +05:30
enable :update_merge_request
2019-07-07 11:18:12 +05:30
enable :reopen_merge_request
2017-09-10 17:25:29 +05:30
enable :create_commit_status
enable :update_commit_status
enable :create_build
enable :update_build
2019-02-02 18:00:53 +05:30
enable :read_pipeline_schedule
2018-05-09 12:01:36 +05:30
enable :create_merge_request_from
2017-09-10 17:25:29 +05:30
enable :create_wiki
enable :push_code
enable :resolve_note
enable :create_container_image
enable :update_container_image
2019-09-04 21:01:54 +05:30
enable :destroy_container_image
2017-09-10 17:25:29 +05:30
enable :create_environment
2020-01-01 13:55:28 +05:30
enable :update_environment
2017-09-10 17:25:29 +05:30
enable :create_deployment
2019-12-21 20:55:43 +05:30
enable :update_deployment
2019-02-15 15:39:39 +05:30
enable :create_release
enable :update_release
2016-11-24 13:41:30 +05:30
end
2019-12-26 22:10:19 +05:30
rule { can?(:developer_access) & user_confirmed? }.policy do
enable :create_pipeline
enable :update_pipeline
enable :create_pipeline_schedule
end
2018-11-18 11:00:15 +05:30
rule { can?(:maintainer_access) }.policy do
2019-09-30 21:07:59 +05:30
enable :admin_board
2018-05-09 12:01:36 +05:30
enable :push_to_delete_protected_branch
2020-03-09 13:42:32 +05:30
enable :update_snippet
enable :admin_snippet
2017-09-10 17:25:29 +05:30
enable :admin_project_member
enable :admin_note
enable :admin_wiki
enable :admin_project
enable :admin_commit_status
enable :admin_build
enable :admin_container_image
enable :admin_pipeline
enable :admin_environment
enable :admin_deployment
enable :admin_pages
enable :read_pages
enable :update_pages
2019-07-07 11:18:12 +05:30
enable :remove_pages
2018-03-17 18:26:18 +05:30
enable :read_cluster
2019-02-15 15:39:39 +05:30
enable :add_cluster
2018-03-17 18:26:18 +05:30
enable :create_cluster
2019-02-15 15:39:39 +05:30
enable :update_cluster
enable :admin_cluster
2018-11-20 20:47:30 +05:30
enable :create_environment_terminal
2019-02-15 15:39:39 +05:30
enable :destroy_release
2019-07-07 11:18:12 +05:30
enable :destroy_artifacts
enable :daily_statistics
2019-12-04 20:38:33 +05:30
enable :admin_operations
2020-04-08 14:13:33 +05:30
enable :read_deploy_token
enable :create_deploy_token
enable :read_pod_logs
enable :destroy_deploy_token
2017-09-10 17:25:29 +05:30
end
2016-09-29 09:46:39 +05:30
2018-10-15 14:42:47 +05:30
rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror
2019-09-30 21:07:59 +05:30
rule { can?(:push_code) }.enable :admin_tag
2018-10-15 14:42:47 +05:30
2017-09-10 17:25:29 +05:30
rule { archived }.policy do
prevent :push_code
2018-05-09 12:01:36 +05:30
prevent :push_to_delete_protected_branch
prevent :request_access
prevent :upload_file
prevent :resolve_note
prevent :create_merge_request_from
prevent :create_merge_request_in
prevent :award_emoji
READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
prevent(*create_update_admin_destroy(feature))
end
end
rule { issues_disabled }.policy do
prevent(*create_read_update_admin_destroy(:issue))
2019-03-13 22:55:13 +05:30
prevent(*create_read_update_admin_destroy(:board))
prevent(*create_read_update_admin_destroy(:list))
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
2017-09-10 17:25:29 +05:30
rule { merge_requests_disabled | repository_disabled }.policy do
2018-05-09 12:01:36 +05:30
prevent :create_merge_request_in
prevent :create_merge_request_from
prevent(*create_read_update_admin_destroy(:merge_request))
2016-09-29 09:46:39 +05:30
end
2018-12-05 23:21:45 +05:30
rule { pages_disabled }.prevent :read_pages_content
2017-09-10 17:25:29 +05:30
rule { issues_disabled & merge_requests_disabled }.policy do
2018-05-09 12:01:36 +05:30
prevent(*create_read_update_admin_destroy(:label))
prevent(*create_read_update_admin_destroy(:milestone))
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
rule { snippets_disabled }.policy do
2020-03-09 13:42:32 +05:30
prevent(*create_read_update_admin_destroy(:snippet))
2017-09-10 17:25:29 +05:30
end
2016-11-03 12:29:30 +05:30
2019-02-02 18:00:53 +05:30
rule { wiki_disabled }.policy do
2018-05-09 12:01:36 +05:30
prevent(*create_read_update_admin_destroy(:wiki))
2017-09-10 17:25:29 +05:30
prevent(:download_wiki_code)
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
rule { builds_disabled | repository_disabled }.policy do
2018-05-09 12:01:36 +05:30
prevent(*create_read_update_admin_destroy(:build))
prevent(*create_read_update_admin_destroy(:pipeline_schedule))
prevent(*create_read_update_admin_destroy(:environment))
2018-11-08 19:23:39 +05:30
prevent(*create_read_update_admin_destroy(:cluster))
2018-05-09 12:01:36 +05:30
prevent(*create_read_update_admin_destroy(:deployment))
2017-09-10 17:25:29 +05:30
end
2016-09-29 09:46:39 +05:30
2019-02-02 18:00:53 +05:30
# There's two separate cases when builds_disabled is true:
# 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
2020-03-09 13:42:32 +05:30
# - We do not prevent the user from accessing Pipelines to allow them to access external CI
2019-02-02 18:00:53 +05:30
# 2. When the user is not allowed to access CI - builds_disabled && ~internal_builds_disabled
# - We prevent the user from accessing Pipelines
rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do
prevent(*create_read_update_admin_destroy(:pipeline))
prevent(*create_read_update_admin_destroy(:commit_status))
end
2017-09-10 17:25:29 +05:30
rule { repository_disabled }.policy do
prevent :push_code
prevent :download_code
prevent :fork_project
prevent :read_commit_status
2019-02-02 18:00:53 +05:30
prevent :read_pipeline
2019-02-15 15:39:39 +05:30
prevent(*create_read_update_admin_destroy(:release))
2017-09-10 17:25:29 +05:30
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
rule { container_registry_disabled }.policy do
2018-05-09 12:01:36 +05:30
prevent(*create_read_update_admin_destroy(:container_image))
2017-09-10 17:25:29 +05:30
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
rule { anonymous & ~public_project }.prevent_all
2018-05-09 12:01:36 +05:30
rule { public_project }.policy do
enable :public_access
enable :read_project_for_iids
end
2017-09-10 17:25:29 +05:30
rule { can?(:public_access) }.policy do
enable :read_project
enable :read_board
enable :read_list
enable :read_wiki
enable :read_label
enable :read_milestone
2020-03-09 13:42:32 +05:30
enable :read_snippet
2017-09-10 17:25:29 +05:30
enable :read_project_member
enable :read_merge_request
enable :read_note
enable :read_pipeline
enable :read_commit_status
enable :read_container_image
enable :download_code
2019-02-15 15:39:39 +05:30
enable :read_release
2017-09-10 17:25:29 +05:30
enable :download_wiki_code
enable :read_cycle_analytics
2018-12-05 23:21:45 +05:30
enable :read_pages_content
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
# NOTE: may be overridden by IssuePolicy
enable :read_issue
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
rule { public_builds }.policy do
enable :read_build
end
2016-11-03 12:29:30 +05:30
2017-09-10 17:25:29 +05:30
rule { public_builds & can?(:guest_access) }.policy do
enable :read_pipeline
2016-09-29 09:46:39 +05:30
end
2018-03-27 19:54:05 +05:30
# These rules are included to allow maintainers of projects to push to certain
# to run pipelines for the branches they have access to.
2019-12-26 22:10:19 +05:30
rule { can?(:public_access) & has_merge_requests_allowing_pushes & user_confirmed? }.policy do
2018-03-27 19:54:05 +05:30
enable :create_build
enable :create_pipeline
end
2018-05-09 12:01:36 +05:30
rule do
(can?(:read_project_for_iids) & issues_visible_to_user) | can?(:read_issue)
end.enable :read_issue_iid
rule do
2019-02-02 18:00:53 +05:30
(~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
2018-05-09 12:01:36 +05:30
end.enable :read_merge_request_iid
2019-07-07 11:18:12 +05:30
rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do
# Preventing access here still allows the projects to be listed. Listing
# projects doesn't check the `:read_project` ability. But instead counts
# on the `project_authorizations` table.
#
# All other actions should explicitly check read project, which would
# trigger the `classification_label_authorized` condition.
#
# `:read_project_for_iids` is not prevented by this condition, as it is
# used for cross-project reference checks.
prevent :guest_access
prevent :public_access
prevent :public_user_access
prevent :reporter_access
prevent :developer_access
prevent :maintainer_access
prevent :owner_access
end
2019-09-04 21:01:54 +05:30
rule { blocked }.policy do
prevent :create_pipeline
end
2020-04-08 14:13:33 +05:30
rule { admin }.enable :change_repository_storage
2017-09-10 17:25:29 +05:30
private
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
def team_member?
2017-09-10 17:25:29 +05:30
return false if @user.nil?
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
greedy_load_subject = false
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
# when scoping by subject, we want to be greedy
# and load *all* the members with one query.
greedy_load_subject ||= DeclarativePolicy.preferred_scope == :subject
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
# in this case we're likely to have loaded #members already
# anyways, and #member? would fail with an error
greedy_load_subject ||= !@user.persisted?
if greedy_load_subject
2018-12-05 23:21:45 +05:30
# We want to load all the members with one query. Calling #include? on
# project.team.members will perform a separate query for each user, unless
# project.team.members was loaded before somewhere else. Calling #to_a
# ensures it's always loaded before checking for membership.
project.team.members.to_a.include?(user)
2017-09-10 17:25:29 +05:30
else
# otherwise we just make a specific query for
# this particular user.
team_access_level >= Gitlab::Access::GUEST
end
2017-08-17 22:00:37 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ActiveRecord
2017-09-10 17:25:29 +05:30
def project_group_member?
return false if @user.nil?
2017-08-17 22:00:37 +05:30
project.group &&
(
2017-09-10 17:25:29 +05:30
project.group.members_with_parents.exists?(user_id: @user.id) ||
project.group.requesters.exists?(user_id: @user.id)
2017-08-17 22:00:37 +05:30
)
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ActiveRecord
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
def team_access_level
return -1 if @user.nil?
2019-07-31 22:56:46 +05:30
lookup_access_level!
end
def lookup_access_level!
2020-03-09 13:42:32 +05:30
return ::Gitlab::Access::REPORTER if alert_bot?
2017-09-10 17:25:29 +05:30
# NOTE: max_member_access has its own cache
project.team.max_member_access(@user.id)
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
def feature_available?(feature)
2019-12-04 20:38:33 +05:30
return false unless project.project_feature
2017-09-10 17:25:29 +05:30
case project.project_feature.access_level(feature)
when ProjectFeature::DISABLED
false
when ProjectFeature::PRIVATE
2019-03-13 22:55:13 +05:30
admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
2017-09-10 17:25:29 +05:30
else
true
end
end
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
def project
@subject
2016-09-29 09:46:39 +05:30
end
end
2019-12-04 20:38:33 +05:30
ProjectPolicy.prepend_if_ee('EE::ProjectPolicy')