Commit 0ad8866b authored by Serena Fang's avatar Serena Fang

Remove project bot policy

I was suggested to add a policy to check project token log in ability,
but that's breaking things with container pulling, so removing policy
code and doing more explicit permission checks instead.
parent 3972af21
...@@ -135,10 +135,6 @@ class ProjectPolicy < BasePolicy ...@@ -135,10 +135,6 @@ class ProjectPolicy < BasePolicy
::Feature.enabled?(:build_service_proxy, @subject) ::Feature.enabled?(:build_service_proxy, @subject)
end end
condition(:project_bot_is_member) do
user.project_bot? & team_member?
end
with_scope :subject with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled } condition(:packages_disabled) { !@subject.packages_enabled }
...@@ -619,8 +615,6 @@ class ProjectPolicy < BasePolicy ...@@ -619,8 +615,6 @@ class ProjectPolicy < BasePolicy
enable :admin_resource_access_tokens enable :admin_resource_access_tokens
end end
rule { project_bot_is_member & ~blocked }.enable :bot_log_in
private private
def user_is_user? def user_is_user?
......
...@@ -198,7 +198,9 @@ module Gitlab ...@@ -198,7 +198,9 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes) return unless valid_scoped_token?(token, all_available_scopes)
if token.user.can?(:log_in) || token.user.can?(:bot_log_in, project) return if project && token.user.project_bot? && !project.bots.include?(token.user)
if token.user.can?(:log_in) || token.user.project_bot?
Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes)) Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
end end
end end
...@@ -283,7 +285,7 @@ module Gitlab ...@@ -283,7 +285,7 @@ module Gitlab
return unless build.project.builds_enabled? return unless build.project.builds_enabled?
if build.user if build.user
return unless build.user.can?(:log_in) || build.user.can?(:bot_log_in, build.project) return unless build.user.can?(:log_in) || (build.user.project_bot? && build.project.bots&.include?(build.user))
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities) Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
......
...@@ -401,40 +401,6 @@ RSpec.describe ProjectPolicy do ...@@ -401,40 +401,6 @@ RSpec.describe ProjectPolicy do
end end
end end
describe 'bot_log_in' do
let(:bot_user) { create(:user, :project_bot) }
let(:project) { private_project }
context 'when bot is in project and is not blocked' do
before do
project.add_maintainer(bot_user)
end
it 'is a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_truthy
end
end
context 'when project bot is invalid' do
context 'when bot is not in project' do
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
context 'when bot user is blocked' do
before do
project.add_maintainer(bot_user)
bot_user.block!
end
it 'is not a valid project bot' do
expect(bot_user.can?(:bot_log_in, project)).to be_falsy
end
end
end
end
context 'support bot' do context 'support bot' do
let(:current_user) { User.support_bot } let(:current_user) { User.support_bot }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment