This reverts merge request !179899

Joe Woodward authored 4 days ago and Joe Woodward committed 4 days ago

Introduces read_path_locks and create_path_locks to the project policy
and destroy_path_lock to the path lock policy.

Note: admin_path_locks is defined in the project policy and the
path_lock policy. Currently it is exposed in the graph API:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/graphql/ee/types/permission_types/project.rb

and also referenced in the path lock helper when checking if a user can
unlock a file:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/helpers/path_locks_helper.rb

We will retain the project policy ability to retain backwards
compatability in the API, however, in a future commit we will remove the
path lock policy ability and update the helper to reference
destroy_path_lock which is more descriptive.

Related to #512677

Eugenia Grieff authored 4 days ago and GitLab Release Tools Bot committed 4 days ago

Merge branch 'security-512050-fix-read-code-review-analytics-permissions' into 'master'

See merge request gitlab-org/security/gitlab!4748

Changelog: security

Marcos Rocha authored 4 days ago and GitLab Release Tools Bot committed 4 days ago

Merge branch 'security-mc_rocha-fix-1230' into 'master'

See merge request gitlab-org/security/gitlab!4712

Changelog: security

Users with read_admin_cicd ability should only be able to see minimal
information related to a project and its sub-resources and the
visibility should also be limited to the admin CI/CD pages.
This means, for example, users with read_admin_cicd should
only be able to see a project's path (no URL) and owner name in the
admin CI/CD pages.

Donald Cook authored 2 months ago and Alexandru Croitor committed 2 weeks ago

Updated respective policies and specs.

This bot can be used to run pipelines and by
doing so decrease the coupling between system pipeline
runs and human runs

* make compliance center functionality partially available at project level
* fix relevant permissions on backend

Changelog: added
EE: true

Hinam Mehra authored 2 weeks ago and GitLab Release Tools Bot committed 2 weeks ago

Merge branch 'security-disable-read-code-when-repository-is-disabled' into 'master'

See merge request gitlab-org/security/gitlab!4689

Changelog: security

Changelog: changed

Add yml and ignore_column

Remove batch column from down step

Move ignore_column to ce

- make sure admin projects page is fully readable for custom role permission

Changelog: changed

- Add rule in group and project policies.
- Update relevant documentation.
- Update group and project policy specs.
- Add custom ability file to hold metadata.
- Add request specs for the new ability.

Add custom permission in Projects::ProtectedEnvironmentsController
and update settings_menu to allow admin_protected_environment

Update controller to conditionally display the protected env

Add wip feature flag and update files accordingly

Add featureflag stub in cicd controller spec

Move permission check to EE section + Add specs

Add custom permission at projects level

- Add :admin_protected_environment ability in controller and view
- Update project settings menu to show CI/CI when oermitted
- Update setting_menu_spec
- Update request_spec to include project level changes

Add custom permission at projects level

- Add :admin_protected_environment ability in controller and view
- Update project settings menu to show CI/CI when oermitted
- Update setting_menu_spec
- Update request_spec to include project level changes

Make code review suggestions

- Update policy name to admin_protected_environments
- Remove redundant methods
- Remove redundant feature flag check
- Update docs
- Keep items in array in alphabatical order

Change admin_protected_environment to admin_protected_environments

Add admin_protected_environments to base project policy

Add enabled access_levels for groups and projects for permission

Apply custom policy to Controller and API of protectedenvironments

Generate custom permission for Protected Environments

- Add custom permission in Projects::ProtectedEnvironmentsController
and update settings_menu to allow admin_protected_environment
- Update controller to conditionally display the protected env
- Add wip feature flag and update files accordingly
- Add featureflag stub in cicd controller spec
- Move permission check to EE section + Add specs
- Add custom permission at projects level
- Add :admin_protected_environment ability in controller and view
- Update project settings menu to show CI/CI when oermitted
- Update setting_menu_spec
- Update request_spec to include project level changes
- Add custom permission at projects level
- Add :admin_protected_environment ability in controller and view
- Update project settings menu to show CI/CI when oermitted
- Update setting_menu_spec
- Update request_spec to include project level changes

Adds a new permission for managing protected tags that
can be given to custom roles.

Changelog: added
EE: true

- Update group and project policy
- Disable `New framework` button when only
read compliance ability is enabled and admin compliance
ability is not

Changelog: added
EE: true

Changelog: changed

This removes an already enabled feature flag for secret push
protection feature.

Changelog: removed
EE: true

Changelog: fixed
EE: true

Updates the permissions to read project and group comment templates
to be for report level and above.

Changelog: changed
EE: true

#506775

* Chat GA was in 16.11, and a licensed seat was required as of 17.6
* Now we can remove the feature flags that were added so that specific
  groups and instances could require a seat before seats were required
* Closes https://gitlab.com/gitlab-org/gitlab/-/issues/457091
* Closes #457757

Changelog: other
EE: true

Prevents access to projects and groups to "Duo Workflow user". Because there is
currently no real "Duo Workflow user" (Duo Workflow uses user's
account), the only difference is that it uses a special token for
authenticating its requests (this token has "ai_workflows" scope).

If this token is used for authenticating a request and it attempts to
access a project or group which has Duo features disabled, it prevents
access to this resource.

#499798

Changelog: fixed
MR: !173015
EE: true

Add a new static role that defines Product Manager abilities

Add group policies for Planner role

Add project policies for Planner role

Add issue, epic and issuable policies

Changelog: added

Removes default enabled feature flag used to
rollout duo enterprise add on launch.

Changelog: other
EE: true

This API will allow users to request and update
a project's security settings, specifically
for pre_receive_secret_detection_enabled.
New documentation and testing covering this
change has been added. Note that only users
with Maintainer+ role can update the value
as this would turn on SPP for the project.
Users with developer+ role can view the
security settings.

Changelog: added
EE: true

When the Duo Code Review bot is added as a reviewer this will start a new review
the bots review status will get updated to `review_started` when it starts the review
to then `reviewed` when the review has been finished.
A new review can then be requested from the bot using the request a review feature.

Contributes to #482942

**Problem**

We use `Authz::CustomAbility.allowed?` to check custom abilities of the
user. But for each ability we trigger two database requests to fetch
the same project and namespace. That leads to N+1 problem.

**Solution**

1. Restructure `Authz::CustomAbility` to support caching.

The code below won't trigger unnecessary database queries for each
`allowed?` call.

```ruby
ability = Authz::CustomAbility.new(user, project)
ability.allowed?(:ability_1)
ability.allowed?(:ability_2)
```

2. Add caching level to the policy code

`Authz::CustomAbility` record will be memoized and have access to
permitted abilities to optimize the number of DB queries.

Changelog: performance
EE: true

Some features will be available for pro seats
while others only for enterprise seats

This service allows the correspondent GraphQL type
to parse the Terraform templates so GKE based runners
can be created

Changelog: added
EE: true

This restricts Duo Workflow access when duo_features_enabled
is set to false on project, group or instance level.
Changelog: changed
EE: true

* implement access to standard adherence report at project level

EE: true
Changelog: added