Move Design Management Policies to FOSS

This change is part of
https://gitlab.com/gitlab-org/gitlab/-/issues/212566 to move all Design
Management code to FOSS.

app/policies/issue_policy.rb

@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  desc "Issue has moved"
+  condition(:moved) { @subject.moved? }
+
   rule { confidential & ~can_read_confidential }.policy do
     prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid
@@ -25,6 +28,15 @@ class IssuePolicy < IssuablePolicy
   rule { locked }.policy do
     prevent :reopen_issue
   end
-end
 
-IssuePolicy.prepend_if_ee('::EE::IssuePolicy')
+  rule { ~can?(:read_issue) }.policy do
+    prevent :read_design
+    prevent :create_design
+    prevent :destroy_design
+  end
+
+  rule { locked | moved }.policy do
+    prevent :create_design
+    prevent :destroy_design
+  end
+end

app/policies/project_policy.rb

@@ -11,6 +11,7 @@ class ProjectPolicy < BasePolicy
     milestone
     snippet
     wiki
+    design
     note
     pipeline
     pipeline_schedule
@@ -107,6 +108,11 @@ class ProjectPolicy < BasePolicy
     )
   end
 
+  with_scope :subject
+  condition(:design_management_disabled) do
+    !@subject.design_management_enabled?
+  end
+
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
   # because it could be possible for a user to see an issuable-iid
   # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -299,6 +305,8 @@ class ProjectPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :create_design
+    enable :destroy_design
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -511,6 +519,17 @@ class ProjectPolicy < BasePolicy
 
   rule { admin }.enable :change_repository_storage
 
+  rule { can?(:read_issue) }.policy do
+    enable :read_design
+  end
+
+  # Design abilities could also be prevented in the issue policy.
+  rule { design_management_disabled }.policy do
+    prevent :read_design
+    prevent :create_design
+    prevent :destroy_design
+  end
+
   private
 
   def team_member?

ee/app/policies/ee/issue_policy.rb

-# frozen_string_literal: true
-
-module EE
-  module IssuePolicy
-    extend ActiveSupport::Concern
-    prepended do
-      condition(:moved) { @subject.moved? }
-
-      rule { ~can?(:read_issue) }.policy do
-        prevent :read_design
-        prevent :create_design
-        prevent :destroy_design
-      end
-
-      rule { locked | moved }.policy do
-        prevent :create_design
-        prevent :destroy_design
-      end
-    end
-  end
-end

ee/app/policies/ee/project_policy.rb

@@ -14,7 +14,6 @@ module EE
       license_management
       feature_flag
       feature_flags_client
-      design
     ].freeze
 
     prepended do
@@ -112,11 +111,6 @@ module EE
         !@subject.feature_available?(:feature_flags)
       end
 
-      with_scope :subject
-      condition(:design_management_disabled) do
-        !@subject.design_management_enabled?
-      end
-
       with_scope :subject
       condition(:code_review_analytics_enabled) do
         @subject.feature_available?(:code_review_analytics, @user)
@@ -157,7 +151,6 @@ module EE
 
       rule { can?(:read_issue) }.policy do
         enable :read_issue_link
-        enable :read_design
       end
 
       rule { can?(:reporter_access) }.policy do
@@ -182,8 +175,6 @@ module EE
         enable :destroy_feature_flag
         enable :admin_feature_flag
         enable :admin_feature_flags_user_lists
-        enable :create_design
-        enable :destroy_design
       end
 
       rule { can?(:public_access) }.enable :read_package
@@ -345,14 +336,6 @@ module EE
 
       rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
 
-      # Design abilities could also be prevented in the issue policy.
-      # If the user cannot read the issue, then they cannot see the designs.
-      rule { design_management_disabled }.policy do
-        prevent :read_design
-        prevent :create_design
-        prevent :destroy_design
-      end
-
       rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
 
       rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics