group_policy.rb 8.31 KB
Newer Older
1 2
# frozen_string_literal: true

3
class GroupPolicy < BasePolicy
4 5
  include FindGroupProjects

6 7 8 9 10 11 12 13
  desc "Group is public"
  with_options scope: :subject, score: 0
  condition(:public_group) { @subject.public? }

  with_score 0
  condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }

  condition(:has_access) { access_level != GroupMember::NO_ACCESS }
14

15
  condition(:guest) { access_level >= GroupMember::GUEST }
16
  condition(:developer) { access_level >= GroupMember::DEVELOPER }
17
  condition(:owner) { access_level >= GroupMember::OWNER }
18
  condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
19
  condition(:reporter) { access_level >= GroupMember::REPORTER }
20

Michael Kozono's avatar
Michael Kozono committed
21
  condition(:has_parent, scope: :subject) { @subject.has_parent? }
22 23
  condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
  condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
Michael Kozono's avatar
Michael Kozono committed
24
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
25

26
  condition(:has_projects) do
27
    group_projects_for(user: @user, group: @subject).any?
28
  end
29 30 31 32

  with_options scope: :subject, score: 0
  condition(:request_access_enabled) { @subject.request_access_enabled }

33 34 35 36 37 38 39 40
  condition(:create_projects_disabled) do
    @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
  end

  condition(:developer_maintainer_access) do
    @subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
  end

41 42 43 44
  condition(:maintainer_can_create_group) do
    @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
  end

45 46 47 48
  condition(:design_management_enabled) do
    group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
  end

49 50 51 52
  condition(:dependency_proxy_available) do
    @subject.dependency_proxy_feature_available?
  end

53 54 55 56 57 58 59 60
  condition(:dependency_proxy_access_allowed) do
    if Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true)
      access_level >= GroupMember::REPORTER || valid_dependency_proxy_deploy_token
    else
      can?(:read_group)
    end
  end

61 62 63 64 65 66 67 68 69 70
  desc "Deploy token with read_package_registry scope"
  condition(:read_package_registry_deploy_token) do
    @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
  end

  desc "Deploy token with write_package_registry scope"
  condition(:write_package_registry_deploy_token) do
    @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry
  end

71
  with_scope :subject
72 73
  condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
  condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
74

75 76 77
  with_scope :subject
  condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }

78
  rule { can?(:read_group) & design_management_enabled }.policy do
79 80 81
    enable :read_design_activity
  end

82 83
  rule { public_group }.policy do
    enable :read_group
84
    enable :read_package
85 86
  end

87
  rule { logged_in_viewable }.enable :read_group
88 89 90

  rule { guest }.policy do
    enable :read_group
91
    enable :upload_file
92 93
  end

94 95 96 97
  rule { admin }.policy do
    enable :read_group
    enable :update_max_artifacts_size
  end
98

99 100 101 102
  rule { can?(:read_all_resources) }.policy do
    enable :read_confidential_issues
  end

103
  rule { has_projects }.policy do
104 105 106 107 108
    enable :read_group
  end

  rule { can?(:read_group) }.policy do
    enable :read_milestone
109
    enable :read_issue_board_list
110
    enable :read_label
111
    enable :read_issue_board
112
    enable :read_group_member
113
    enable :read_custom_emoji
114
  end
115

116 117 118 119
  rule { ~can?(:read_group) }.policy do
    prevent :read_design_activity
  end

120 121
  rule { has_access }.enable :read_namespace

122 123
  rule { developer }.policy do
    enable :admin_milestone
124 125 126
    enable :create_metrics_dashboard_annotation
    enable :delete_metrics_dashboard_annotation
    enable :update_metrics_dashboard_annotation
127
    enable :create_custom_emoji
128
    enable :create_package
129
    enable :create_package_settings
130
  end
131 132

  rule { reporter }.policy do
133
    enable :reporter_access
134
    enable :read_container_image
135
    enable :admin_issue_board
136
    enable :admin_label
137
    enable :admin_issue_board_list
138
    enable :admin_issue
139
    enable :read_metrics_dashboard_annotation
140
    enable :read_prometheus
141
    enable :read_package
142
    enable :read_package_settings
143 144
  end

145
  rule { maintainer }.policy do
146
    enable :destroy_package
147
    enable :create_projects
148 149
    enable :admin_pipeline
    enable :admin_build
150
    enable :read_cluster
151
    enable :add_cluster
152 153 154
    enable :create_cluster
    enable :update_cluster
    enable :admin_cluster
155
    enable :read_deploy_token
156
    enable :create_jira_connect_subscription
157
    enable :update_runners_registration_token
158 159 160 161 162 163 164
  end

  rule { owner }.policy do
    enable :admin_group
    enable :admin_namespace
    enable :admin_group_member
    enable :change_visibility_level
165 166

    enable :set_note_created_at
167
    enable :set_emails_disabled
168
    enable :change_prevent_sharing_groups_outside_hierarchy
169
    enable :change_new_user_signups_cap
170
    enable :update_default_branch_protection
171 172
    enable :create_deploy_token
    enable :destroy_deploy_token
173 174
  end

175 176 177 178 179 180 181
  rule { can?(:read_nested_project_resources) }.policy do
    enable :read_group_activity
    enable :read_group_issues
    enable :read_group_boards
    enable :read_group_labels
    enable :read_group_milestones
    enable :read_group_merge_requests
182
    enable :read_group_build_report_results
183 184 185 186 187 188
  end

  rule { can?(:read_cross_project) & can?(:read_group) }.policy do
    enable :read_nested_project_resources
  end

189 190
  rule { owner }.enable :create_subgroup
  rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
191 192 193 194 195 196 197 198 199

  rule { public_group | logged_in_viewable }.enable :view_globally

  rule { default }.enable(:request_access)

  rule { ~request_access_enabled }.prevent :request_access
  rule { ~can?(:view_globally) }.prevent   :request_access
  rule { has_access }.prevent              :request_access

Michael Kozono's avatar
Michael Kozono committed
200
  rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
201

202 203 204
  rule { developer & developer_maintainer_access }.enable :create_projects
  rule { create_projects_disabled }.prevent :create_projects

205 206 207 208
  rule { owner | admin }.policy do
    enable :owner_access
    enable :read_statistics
  end
209

210 211
  rule { maintainer & can?(:create_projects) }.enable :transfer_projects

212 213 214 215 216 217 218
  rule { read_package_registry_deploy_token }.policy do
    enable :read_package
    enable :read_group
  end

  rule { write_package_registry_deploy_token }.policy do
    enable :create_package
219
    enable :read_package
220 221 222
    enable :read_group
  end

223
  rule { dependency_proxy_access_allowed & dependency_proxy_available }
224 225 226 227 228
    .enable :read_dependency_proxy

  rule { developer & dependency_proxy_available }
    .enable :admin_dependency_proxy

229 230 231 232
  rule { can?(:admin_group) }.policy do
    enable :update_group_shared_runners_setting
  end

233
  rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
234 235
    enable :read_resource_access_tokens
    enable :destroy_resource_access_tokens
236
    enable :admin_setting_to_allow_project_access_token_creation
237 238
  end

239
  rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
240
    enable :create_resource_access_tokens
241 242
  end

243 244 245 246
  rule { support_bot & has_project_with_service_desk_enabled }.policy do
    enable :read_label
  end

247 248
  def access_level
    return GroupMember::NO_ACCESS if @user.nil?
249
    return GroupMember::NO_ACCESS unless user_is_user?
250

251 252 253 254 255
    @access_level ||= lookup_access_level!
  end

  def lookup_access_level!
    @subject.max_member_access_for_user(@user)
256
  end
257 258 259 260 261 262

  private

  def user_is_user?
    user.is_a?(User)
  end
263 264 265 266 267

  def group
    @subject
  end

268 269 270 271 272
  def resource_access_token_feature_available?
    true
  end

  def resource_access_token_creation_allowed?
273
    resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
274
  end
275 276 277 278

  def valid_dependency_proxy_deploy_token
    @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
  end
279
end
280

281
GroupPolicy.prepend_mod_with('GroupPolicy')