1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
// GitLab Access Level Based Authorization
// Maps to Gitlab::Access constants: Guest(10), Reporter(20), Developer(30), Maintainer(40), Owner(50)
// Guest access (read-only operations)
permit (
principal is User,
action in
[Action::"read_project",
Action::"read_group",
Action::"read_issue",
Action::"read_merge_request",
Action::"read_pipeline",
Action::"read_wiki",
Action::"download_code"],
resource
)
when
{
principal has access_level &&
principal.access_level >= 10 &&
resource has visibility &&
(resource.visibility == "public" ||
resource has members &&
principal in resource.members)
};
// Reporter access (can create issues, view builds)
permit (
principal is User,
action in
[Action::"create_issue",
Action::"create_issue_note",
Action::"read_build",
Action::"read_container_image",
Action::"pull_container_image"],
resource
)
when
{
principal has access_level &&
principal.access_level >= 20 &&
resource has members &&
principal in resource.members
};
// Developer access (can push code, create MRs)
permit (
principal is User,
action in
[Action::"push_code",
Action::"create_merge_request",
Action::"update_merge_request",
Action::"create_pipeline",
Action::"retry_pipeline",
Action::"push_container_image",
Action::"create_release"],
resource
)
when
{
principal has access_level &&
principal.access_level >= 30 &&
resource has members &&
principal in resource.members
};
// Maintainer access (project administration)
permit (
principal is User,
action in
[Action::"admin_project",
Action::"manage_project_members",
Action::"admin_merge_request",
Action::"push_to_delete_protected_branch",
Action::"admin_pipeline",
Action::"admin_container_registry",
Action::"admin_package_registry"],
resource
)
when
{
principal has access_level &&
principal.access_level >= 40 &&
resource has members &&
principal in resource.members
};
// Owner access (full project control)
permit (
principal is User,
action in
[Action::"destroy_project",
Action::"transfer_project",
Action::"archive_project",
Action::"change_visibility_level",
Action::"admin_project_hooks",
Action::"admin_project_runners"],
resource
)
when
{
principal has access_level &&
principal.access_level >= 50 &&
resource has members &&
principal in resource.members
};
// Admin override - can do everything
permit (
principal is User,
action,
resource
)
when
{
principal has admin &&
principal.admin == true &&
principal has blocked &&
!principal.blocked
};
// Block all access for blocked users
forbid (
principal is User,
action,
resource
)
when { principal has blocked && principal.blocked == true };
|
