Add cop for policy condition scope (!194681) · Merge requests · GitLab.org / GitLab

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

This MR introduces a custom RuboCop cop: Gitlab/PolicyConditionScope.

The cop enforces correct usage of the scope option in condition blocks within policy files. It ensures that only permitted references are used inside these blocks based on the declared scope. This helps prevent incorrect behavior in the Declarative Policy framework, such as caching issues due to scope misuse.

If scopes are used in policy files they should meet the following conditions

Scope	Condition
`:subject`	Block should reference `@subject` but not `@user`
`:user`	Block should reference `@user` but not `@subject`
`:global`	Block should not reference `@user` or `@subject`

References

gitlab-org/ruby/gems/declarative-policy#36 (closed)

#522028

Screenshots or screen recordings

🎥 Cache Invalidation Issue Due to Wrong Scope

This video explains how incorrect usage of scope in policy condition blocks can lead to unexpected behavior — especially caching issues in the Declarative Policy framework. It demonstrates why enforcing proper scope references is important and how the new RuboCop cop helps catch these problems.

⚠️ Note: The audio is a bit low, so using headphones is recommended.

demo

How to set up and validate locally

$ rubocop --cache false --only Gitlab/PolicyConditionScope  app/policies ee/app/policies/

Inspecting 353 files
.............................................................................................................................................................................................................................................................C...................................................................................................

Offenses:

ee/app/policies/ee/packages/policies/dependency_proxy/group_policy.rb:15:54: C: Gitlab/PolicyConditionScope: Scope subject uses disallowed references: user. See https://docs.gitlab.com/development/policies/#scope
            condition(:no_active_sso_session, scope: :subject) do
                                                     ^^^^^^^^

353 files inspected, 1 offense detected

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Sep 14, 2025 by Sahil Sarawagi

Add cop for policy condition scope