project_policy.rb 15.1 KB
Newer Older
1 2
# frozen_string_literal: true

3
class ProjectPolicy < BasePolicy
4
  extend ClassMethods
5
  include ClusterableActions
6

7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
  READONLY_FEATURES_WHEN_ARCHIVED = %i[
    issue
    list
    merge_request
    label
    milestone
    project_snippet
    wiki
    note
    pipeline
    pipeline_schedule
    build
    trigger
    environment
    deployment
    commit_status
    container_image
    pages
    cluster
Alessio Caiazza's avatar
Alessio Caiazza committed
26
    release
27 28
  ].freeze

29 30
  desc "User is a project owner"
  condition :owner do
31 32
    (project.owner.present? && project.owner == @user) ||
      project.group&.has_owner?(@user)
33
  end
34

35
  desc "Project has public builds enabled"
36
  condition(:public_builds, scope: :subject, score: 0) { project.public_builds? }
37

38
  # For guest access we use #team_member? so we can use
39 40 41 42 43
  # project.members, which gets cached in subject scope.
  # This is safe because team_access_level is guaranteed
  # by ProjectAuthorization's validation to be at minimum
  # GUEST
  desc "User has guest access"
44
  condition(:guest) { team_member? }
45

46 47
  desc "User has reporter access"
  condition(:reporter) { team_access_level >= Gitlab::Access::REPORTER }
48

49 50 51
  desc "User has developer access"
  condition(:developer) { team_access_level >= Gitlab::Access::DEVELOPER }

Mark Chao's avatar
Mark Chao committed
52
  desc "User has maintainer access"
53
  condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER }
54 55

  desc "Project is public"
56
  condition(:public_project, scope: :subject, score: 0) { project.public? }
57 58 59 60

  desc "Project is visible to internal users"
  condition(:internal_access) do
    project.internal? && !user.external?
61 62
  end

63 64 65 66
  desc "User is a member of the group"
  condition(:group_member, scope: :subject) { project_group_member? }

  desc "Project is archived"
67
  condition(:archived, scope: :subject, score: 0) { project.archived? }
68 69 70 71 72 73

  condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? }

  desc "Container registry is disabled"
  condition(:container_registry_disabled, scope: :subject) do
    !project.container_registry_enabled
74 75
  end

76
  desc "Project has an external wiki"
77
  condition(:has_external_wiki, scope: :subject, score: 0) { project.has_external_wiki? }
78 79

  desc "Project has request access enabled"
80
  condition(:request_access_enabled, scope: :subject, score: 0) { project.request_access_enabled }
81

82
  desc "Has merge requests allowing pushes to user"
83
  condition(:has_merge_requests_allowing_pushes) do
84
    project.merge_requests_allowing_push_to_user(user).any?
85 86
  end

87 88 89 90 91
  with_scope :global
  condition(:mirror_available, score: 0) do
    ::Gitlab::CurrentSettings.current_application_settings.mirror_available
  end

92 93 94 95 96 97 98 99 100
  with_scope :subject
  condition(:classification_label_authorized, score: 32) do
    ::Gitlab::ExternalAuthorization.access_allowed?(
      @user,
      @subject.external_authorization_classification_label,
      @subject.full_path
    )
  end

101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
  # We aren't checking `:read_issue` or `:read_merge_request` in this case
  # because it could be possible for a user to see an issuable-iid
  # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
  # allowed to read the actual issue after a more expensive `:read_issue`
  # check. These checks are intended to be used alongside
  # `:read_project_for_iids`.
  #
  # `:read_issue` & `:read_issue_iid` could diverge in gitlab-ee.
  condition(:issues_visible_to_user, score: 4) do
    @subject.feature_available?(:issues, @user)
  end

  condition(:merge_requests_visible_to_user, score: 4) do
    @subject.feature_available?(:merge_requests, @user)
  end

117 118 119
  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
  condition(:can_have_multiple_clusters) { multiple_clusters_available? }

120 121 122 123
  condition(:internal_builds_disabled) do
    !@subject.builds_enabled?
  end

124 125 126 127 128 129 130
  features = %w[
    merge_requests
    issues
    repository
    snippets
    wiki
    builds
131
    pages
132 133 134 135 136 137
  ]

  features.each do |f|
    # these are scored high because they are unlikely
    desc "Project has #{f} disabled"
    condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) }
138 139
  end

140 141 142 143
  # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
  # not.
  rule { guest | admin }.enable :read_project_for_iids

144 145 146
  rule { guest }.enable :guest_access
  rule { reporter }.enable :reporter_access
  rule { developer }.enable :developer_access
147
  rule { maintainer }.enable :maintainer_access
148
  rule { owner | admin }.enable :owner_access
149

150
  rule { can?(:owner_access) }.policy do
151 152 153
    enable :guest_access
    enable :reporter_access
    enable :developer_access
154
    enable :maintainer_access
155 156 157 158 159 160 161 162 163

    enable :change_namespace
    enable :change_visibility_level
    enable :rename_project
    enable :remove_project
    enable :archive_project
    enable :remove_fork_project
    enable :destroy_merge_request
    enable :destroy_issue
164 165 166 167

    enable :set_issue_iid
    enable :set_issue_created_at
    enable :set_note_created_at
168
  end
169

170 171
  rule { can?(:guest_access) }.policy do
    enable :read_project
172
    enable :create_merge_request_in
173 174 175 176 177 178 179 180 181 182 183 184 185 186
    enable :read_board
    enable :read_list
    enable :read_wiki
    enable :read_issue
    enable :read_label
    enable :read_milestone
    enable :read_project_snippet
    enable :read_project_member
    enable :read_note
    enable :create_project
    enable :create_issue
    enable :create_note
    enable :upload_file
    enable :read_cycle_analytics
187
    enable :award_emoji
188
    enable :read_pages_content
189
  end
190

191
  # These abilities are not allowed to admins that are not members of the project,
192
  # that's why they are defined separately.
193
  rule { guest & can?(:download_code) }.enable :build_download_code
194
  rule { guest & can?(:read_container_image) }.enable :build_read_container_image
195

196 197
  rule { can?(:reporter_access) }.policy do
    enable :download_code
198
    enable :read_statistics
199 200 201 202
    enable :download_wiki_code
    enable :fork_project
    enable :create_project_snippet
    enable :update_issue
203
    enable :reopen_issue
204 205 206 207 208 209 210 211 212 213
    enable :admin_issue
    enable :admin_label
    enable :admin_list
    enable :read_commit_status
    enable :read_build
    enable :read_container_image
    enable :read_pipeline
    enable :read_environment
    enable :read_deployment
    enable :read_merge_request
214
    enable :read_sentry_issue
215
    enable :read_release
216
    enable :read_prometheus
217
  end
218

219 220
  # We define `:public_user_access` separately because there are cases in gitlab-ee
  # where we enable or prevent it based on other coditions.
221 222
  rule { (~anonymous & public_project) | internal_access }.policy do
    enable :public_user_access
223
    enable :read_project_for_iids
224
  end
225

226
  rule { can?(:public_user_access) }.policy do
227
    enable :public_access
228
    enable :guest_access
229 230 231

    enable :fork_project
    enable :build_download_code
232
    enable :build_read_container_image
233 234
    enable :request_access
  end
235

236 237 238
  rule { owner | admin | guest | group_member }.prevent :request_access
  rule { ~request_access_enabled }.prevent :request_access

Heinrich Lee Yu's avatar
Heinrich Lee Yu committed
239
  rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
Heinrich Lee Yu's avatar
Heinrich Lee Yu committed
240

241 242
  rule { can?(:developer_access) }.policy do
    enable :admin_merge_request
243
    enable :admin_milestone
244
    enable :update_merge_request
245
    enable :reopen_merge_request
246 247 248 249 250 251
    enable :create_commit_status
    enable :update_commit_status
    enable :create_build
    enable :update_build
    enable :create_pipeline
    enable :update_pipeline
252
    enable :read_pipeline_schedule
253
    enable :create_pipeline_schedule
254
    enable :create_merge_request_from
255 256 257 258 259 260 261
    enable :create_wiki
    enable :push_code
    enable :resolve_note
    enable :create_container_image
    enable :update_container_image
    enable :create_environment
    enable :create_deployment
Alessio Caiazza's avatar
Alessio Caiazza committed
262 263
    enable :create_release
    enable :update_release
264 265
  end

266
  rule { can?(:maintainer_access) }.policy do
267
    enable :push_to_delete_protected_branch
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
    enable :update_project_snippet
    enable :update_environment
    enable :update_deployment
    enable :admin_project_snippet
    enable :admin_project_member
    enable :admin_note
    enable :admin_wiki
    enable :admin_project
    enable :admin_commit_status
    enable :admin_build
    enable :admin_container_image
    enable :admin_pipeline
    enable :admin_environment
    enable :admin_deployment
    enable :admin_pages
    enable :read_pages
    enable :update_pages
285
    enable :remove_pages
286
    enable :read_cluster
287
    enable :add_cluster
288
    enable :create_cluster
289 290
    enable :update_cluster
    enable :admin_cluster
291
    enable :create_environment_terminal
Shinya Maeda's avatar
Shinya Maeda committed
292
    enable :destroy_release
293
    enable :destroy_artifacts
294
    enable :daily_statistics
295
  end
296

297 298
  rule { (mirror_available & can?(:admin_project)) | admin }.enable :admin_remote_mirror

299 300
  rule { archived }.policy do
    prevent :push_code
301 302 303 304
    prevent :push_to_delete_protected_branch
    prevent :request_access
    prevent :upload_file
    prevent :resolve_note
305 306
    prevent :create_merge_request_from
    prevent :create_merge_request_in
307
    prevent :award_emoji
308 309 310 311 312 313 314 315

    READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
      prevent(*create_update_admin_destroy(feature))
    end
  end

  rule { issues_disabled }.policy do
    prevent(*create_read_update_admin_destroy(:issue))
316 317
    prevent(*create_read_update_admin_destroy(:board))
    prevent(*create_read_update_admin_destroy(:list))
318 319
  end

320
  rule { merge_requests_disabled | repository_disabled }.policy do
321 322
    prevent :create_merge_request_in
    prevent :create_merge_request_from
323
    prevent(*create_read_update_admin_destroy(:merge_request))
324 325
  end

326 327
  rule { pages_disabled }.prevent :read_pages_content

328
  rule { issues_disabled & merge_requests_disabled }.policy do
329 330
    prevent(*create_read_update_admin_destroy(:label))
    prevent(*create_read_update_admin_destroy(:milestone))
331 332 333
  end

  rule { snippets_disabled }.policy do
334
    prevent(*create_read_update_admin_destroy(:project_snippet))
335 336
  end

337
  rule { wiki_disabled }.policy do
338
    prevent(*create_read_update_admin_destroy(:wiki))
339 340 341 342
    prevent(:download_wiki_code)
  end

  rule { builds_disabled | repository_disabled }.policy do
343 344 345
    prevent(*create_read_update_admin_destroy(:build))
    prevent(*create_read_update_admin_destroy(:pipeline_schedule))
    prevent(*create_read_update_admin_destroy(:environment))
346
    prevent(*create_read_update_admin_destroy(:cluster))
347
    prevent(*create_read_update_admin_destroy(:deployment))
348 349
  end

350 351 352 353 354 355 356 357 358 359
  # There's two separate cases when builds_disabled is true:
  # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
  #   - We do not prevent the user from accessing Pipelines to allow him to access external CI
  # 2. When the user is not allowed to access CI - builds_disabled && ~internal_builds_disabled
  #   - We prevent the user from accessing Pipelines
  rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do
    prevent(*create_read_update_admin_destroy(:pipeline))
    prevent(*create_read_update_admin_destroy(:commit_status))
  end

360 361 362 363 364
  rule { repository_disabled }.policy do
    prevent :push_code
    prevent :download_code
    prevent :fork_project
    prevent :read_commit_status
365
    prevent :read_pipeline
Alessio Caiazza's avatar
Alessio Caiazza committed
366
    prevent(*create_read_update_admin_destroy(:release))
367 368 369
  end

  rule { container_registry_disabled }.policy do
370
    prevent(*create_read_update_admin_destroy(:container_image))
371 372 373
  end

  rule { anonymous & ~public_project }.prevent_all
374 375 376 377 378

  rule { public_project }.policy do
    enable :public_access
    enable :read_project_for_iids
  end
379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394

  rule { can?(:public_access) }.policy do
    enable :read_project
    enable :read_board
    enable :read_list
    enable :read_wiki
    enable :read_label
    enable :read_milestone
    enable :read_project_snippet
    enable :read_project_member
    enable :read_merge_request
    enable :read_note
    enable :read_pipeline
    enable :read_commit_status
    enable :read_container_image
    enable :download_code
Alessio Caiazza's avatar
Alessio Caiazza committed
395
    enable :read_release
396 397
    enable :download_wiki_code
    enable :read_cycle_analytics
398
    enable :read_pages_content
399 400 401 402 403 404 405 406 407 408 409 410 411

    # NOTE: may be overridden by IssuePolicy
    enable :read_issue
  end

  rule { public_builds }.policy do
    enable :read_build
  end

  rule { public_builds & can?(:guest_access) }.policy do
    enable :read_pipeline
  end

412
  # These rules are included to allow maintainers of projects to push to certain
413 414
  # to run pipelines for the branches they have access to.
  rule { can?(:public_access) & has_merge_requests_allowing_pushes }.policy do
415 416 417 418
    enable :create_build
    enable :create_pipeline
  end

419 420 421 422 423
  rule do
    (can?(:read_project_for_iids) & issues_visible_to_user) | can?(:read_issue)
  end.enable :read_issue_iid

  rule do
424
    (~guest & can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
425 426
  end.enable :read_merge_request_iid

427 428
  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster

429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447
  rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do
    # Preventing access here still allows the projects to be listed. Listing
    # projects doesn't check the `:read_project` ability. But instead counts
    # on the `project_authorizations` table.
    #
    # All other actions should explicitly check read project, which would
    # trigger the `classification_label_authorized` condition.
    #
    # `:read_project_for_iids` is not prevented by this condition, as it is
    # used for cross-project reference checks.
    prevent :guest_access
    prevent :public_access
    prevent :public_user_access
    prevent :reporter_access
    prevent :developer_access
    prevent :maintainer_access
    prevent :owner_access
  end

448 449
  private

450
  def team_member?
451 452 453 454 455 456 457 458 459 460 461 462 463
    return false if @user.nil?

    greedy_load_subject = false

    # when scoping by subject, we want to be greedy
    # and load *all* the members with one query.
    greedy_load_subject ||= DeclarativePolicy.preferred_scope == :subject

    # in this case we're likely to have loaded #members already
    # anyways, and #member? would fail with an error
    greedy_load_subject ||= !@user.persisted?

    if greedy_load_subject
464 465 466 467 468
      # We want to load all the members with one query. Calling #include? on
      # project.team.members will perform a separate query for each user, unless
      # project.team.members was loaded before somewhere else. Calling #to_a
      # ensures it's always loaded before checking for membership.
      project.team.members.to_a.include?(user)
469 470 471 472 473 474 475
    else
      # otherwise we just make a specific query for
      # this particular user.
      team_access_level >= Gitlab::Access::GUEST
    end
  end

476
  # rubocop: disable CodeReuse/ActiveRecord
477 478 479
  def project_group_member?
    return false if @user.nil?

480 481
    project.group &&
      (
482 483
        project.group.members_with_parents.exists?(user_id: @user.id) ||
        project.group.requesters.exists?(user_id: @user.id)
484 485
      )
  end
486
  # rubocop: enable CodeReuse/ActiveRecord
487

488 489
  def team_access_level
    return -1 if @user.nil?
490

491 492 493 494 495 496 497 498 499
    # NOTE: max_member_access has its own cache
    project.team.max_member_access(@user.id)
  end

  def feature_available?(feature)
    case project.project_feature.access_level(feature)
    when ProjectFeature::DISABLED
      false
    when ProjectFeature::PRIVATE
500
      admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
501 502 503 504 505 506 507
    else
      true
    end
  end

  def project
    @subject
508
  end
509
end