►
Description
In this video, we discuss how permissions are implemented in GitLab codebase and what policies we use for Secure features.
https://gitlab.com/gitlab-org/security-products/brown-bag-sessions/issues/1
A
Let's
start
so
today
we
are
going
to
talk
about
rails
policies
and
permission.
So,
let's
start
so
all
the
policies
in
github
code
base
are
using
declarative
policy
framework.
So
this
framework
was
written
inside
of
the
Key
Club
and
the
code
base.
You
will
find
in
declarative
poll.
Sleep
declarative,
pools,
folder,
but
it
looks
very
close
to
bandit
and
for
a
few
days,
I
was
working
with
permission.
I
was
actually
confused,
set
a
sexual
punted,
not
declarative
policy.
A
So
basically,
the
most
important
in
this
framework
is
class
ability
and
it's
methods
allowed
which
allows
us
to
check
if
you
don't
have
an
ability
to
see
some
object
or
interact
with
some
object.
We
usually
use
these
methods
implicitly
in
the
for
action.
Filters
like
authorized
happen
and
the
methods
can.
Maybe
you
see
this
in
controller
somewhere.
It's
actually
cool
inside
this
ability
allowed
method.
So
all
the
policy.
A
So
you
should
be
careful
with
everything
so
for
all
the
security
features
to
reuse
a
few
different
rules.
Most
of
them
are
grouped
inside
of
the
project
policy
and
have
another
one
in
the
group
policy.
So
let's
dig
in
and
talk
about
all
the
different
policies,
one
by
mine,
so
the
first
punch
its
rules
for
read
security
dashboard.
So
what
everyone
knows
is
this
feature,
so
you
can
have
group
or
project
that
part
and
to
have
an
access
to
it.
You
have.
A
The
feature
should
be
available
and
user
should
have
at
least
and
the
developer
axis,
and
let's
talk
a
little
bit
more
about
each
available
method,
so
it's
implemented
on
project
and
namespace
or
group,
and
you
can
actually
so
we
have
the
same
condition
in
both
project
policy
and
group
policy.
So
it's
basically
checking
if
it's
implicitly
checking
to
things
that
this
feature
is
licensed
it.
A
Request
or
pipelines,
and
you
can
check
it
in
the
settings
settings
if
you
want
this
feature
for
purchase
or
not,
and
this
method
feature
available,
it's
actually
the
chicken
was
those
links
so
for
we
have
a
bunch
of
policies
for
a
separate
software
license
policies,
and
you
can
be
using
these
permissions
for
public
API
and
for
license
compliance
page
as
far
as
I
know,
so
as
well
as
they
chicken.
If
we
have
this
feature
available
and
user,
have
an
access
to
the
project
completed
or
have
maintainer
access
for,
providing
some
create,
delete,
admin
actions.
A
Next
is
dependency
least
publicly
pay.
So
we
have
this
feature
dependency
list
which
actually
showing
users
what
dependency
we
have
this
project
and
we
have
publicly
paid
for
this
feature
so
because
user
can,
if
you
choose
it,
you
can
see
the
repository
user
can
see
all
the
dependencies.
So
that's
why
we
need
to
put
this
fee
for
this
rule.
We
need
to
check
if
the
feature
obviously
features
available
and
user.
Can
it's
not
it's
kind
of
tricky
user
can't
download
code,
so
we
should
basically
check
and
see.
Is
that
user
can
read
the
repository,
but.
A
Historically,
read
repository
is
actually
their
rule,
can
download
code
so
I,
don't
remember
how
I
truly
find
it
but
flex
it
next.
One
is
their
permission,
for
a
read
depends
the
listview
and
right
now
it
have
the
same
access
level
as
security,
but
just
for
now
and
to
be
I
guess
will
be
changed
in
near
future,
because,
right
now
the
pencil
list
page
shows
us
different
different
information
dependencies.
It's
variabilities
licenses,
so
obviously
it
could.
A
B
A
A
A
So
this
permission
allows
us
to
read
full
mobility
feedback
and
the
wish
of
this
information
is
in
different
places.
What
I
found
in
the
code
base
right
now
is
that
it
is
shown
only
on
the
merge
request,
a
widget,
but
as
far
as
you
remember
previously,
we
shall
we
show
our
ability,
feedback,
condemn
pipelines,
view
I,
guess
somewhat
were
changed
or
it'll
be
added
in
the
future.
So
we
have
the
rules
that
user
can
have
to
read
the
project
or
have
an
access
like
can
with
merge,
request
or
read
bills.
A
A
Don't
have
an
access
to
the
project
but
say
actually
like
don't
help,
but
we
don't
like.
We
don't
need
an
access,
the
whole
project.
We
are
interested
only
in
few
parts
like
merge,
request
and
pipelines
and
because
in
settings
we
have
different
lot
of
different
settings.
So
we
actually
have
to
check
all
this
possible
cases
because
we
have
different
situation,
for
example,
so
we
can
check
different
access
levels
for
a
merge
request
and
pipelines.
A
So,
for
example,
if
you
go
to
the
Settings
General
in
on
the
project
menu,
we
can
go
to
the
repository
tap
and
can
see
that
you
can
check
different
access
level
for
much
requested
pipelines
and
purpose
it.
You
as
well
so
for
a
private
project,
is
kind
of
very
simple,
because
only
user
who
have
an
access
to
the
project
can
have
an
access
to
positive
image
requests
in
pipelines,
but
for
public
and
for
internal
projects.
A
You
can
just
like
check
all
the
different
kinds
of
access
and
as
well,
you
can
just
press
out
and
make
this
feature
unavailable.
It's
not
like
all
of
it.
There
is
another
part
of
settings,
says
D
part
when
we
have
check
for
public
pipelines,
so
this
public
pipelines
Seton's
allows
users
like
not
authorized
its
users
to
see
your
pipelines
and
it's
kind
of
contradict
with
the
settings
for
our
pipelines,
so
actually
how
it
works.
A
If
you
check
public
pipelines
and
you
allow
pipelines
for
everyone
within
access
on
the
general
tab,
Doozers
mm,
without
some
taxes
will
have
an
access
to
the
project.
So
actually
it's
works
like
and
room,
and
if
we
go
for
like
this
condition,
so
a
user
have
can
be
able
to
read
bills
and
this
route
built
is.
This
rule
actually
implement
all
this
logic.
So
it's
actually
a
check
if
pipelines
I
our
public
and
access
to
the
pipeline's
are
set
for
everyone.
A
Yeah,
so
if
you
interesting
how
all
the
settings
for
a
project
a
Stewart,
you
can
go
to
the
project
feature
model
and
it's
table
project
features
and
you
can
see
all
the
access
level
values
that
are
stored
for
per
project.
For
example,
I
checked
I
like
crazy
snippet
and
we
can
see
an
access
level
for
builds
and
Midwest
and
yeah
builds
and
pipelines
are
the
same.
So
in
the
code
we
have
bills,
but
in
the
UI
we
have
right
now
my
plans
everywhere.
A
So
what
challenges
that
we
have
to
solve
in
future?
So
we
have
to
create
monkey
granule
access
for
our
components
because,
as
I
said,
for
example,
for
dependency
lists,
page
different
users
like
we
have
a
lot
of
different
informations
and
all
this
information
should
be
accessible
by
different
rules
because
like
if
you
are
a
developer
and
not
interested
in
vulnerabilities,
maybe
you
can
see
the
buncee
list,
but
you
shouldn't
see
the
motor
abilities
and
works
it.
A
C
A
C
A
C
A
D
A
Yeah,
so
you
can
actually
given
you,
don't
if
you
don't,
if
you
just
want
to
check
that,
for
example,
there,
for
example,
the
rule
for
licenses
feature.
So
if
we
have
project
and
it's,
for
example,
it's
public
and
we
don't
care
about
the
user
like
we
just
want
to
check.
If
the
feature
is
available
for
a
project
and.
D
Then
you
can
do
we
have
to
then
explicitly
skip
the
claim
check
for
the
user,
or
is
it
implied
that
all
unauthenticated
users
would
be
able
to
have
like
say
like
read
project
depending
on
the
I
guess,
inheritance
of
the
policy?
So
if
project
is
public
and
there's
no
user,
that's
Afeni
kated.
Do
the
permissions,
then
sort
of
say:
okay,
there
unauthenticated,
but
the
project
sort
of
scope
says
that
anybody
can
read
this.
So
therefore
they
do
ask
the
claim
check.
A
Frankly,
I
don't
know
the
answer
for
this
question,
so
we
can
actually-
and
so
it's
basically
question.
If,
with
this
method
allowed,
we
can
can
like
accept
their
rules
out
user,
so
I
guess
it
can
be
so,
but
I
I
can
start
I
can
actually,
after
this
call,
I'll
write
the
question
down
to
say
this
and
I'll
find
a
sore
inside
them
say
it's
a
good
place.
So
I
can
just
check
the
code
because
I
forgot
for
security
features.
Actually
we
all
all
of
them.
A
B
Just
gonna
comment:
I
think
I
meant
I,
remember
it.
Maybe
in
the
retro
you
mentioned
that
the
policies
or
the
permissions
are
quite
confusing.
Is
there?
Is
there
any
kind
of
I
haven't
take
a
look
at
them,
but
is
there
thoughts
that,
maybe
you
know
refactoring
a
you
know
have
that
how
that
works
or
is
it
kind
of
like
this
is
how
it
is
it
has
to.
You
know,
stick
with
that.
A
A
And
like
our
biggest
problem
right
now,
is
it
as
far
as
I
understand
was
he
have
the
same
situation,
which
is
his
issue
with
permissions?
So
we
like,
if
we
have
a
lot
of
settings
and
we
need
to
check
all
the
elements.
So
if
you
want
to
show
our
abilities
in
different
places,
we
have
to
make
sure
that
users
have
an
access
to
this
place
and
because
we
have
different
access
level
for
projects,
we
have
different
access
them
for
users.
So
it's
like.
A
D
So
it's
the
DSL
itself
looks
like
a
little
bit
complicated,
but
I
think
if
we
just
think
about
in
terms
of
like
verifying
like
that
second
slide,
you
had
or
that
first
slide
with
the
code
like.
Can
this
user
perform
this
action
against
this
resource?
Do
they
have
that
claim?
I,
think
that
simplifies
it,
but
the
implementation
is
probably
the
complicated
part
yeah.