diff --git a/app/graphql/mutations/environments/delete.rb b/app/graphql/mutations/environments/delete.rb
index 5e3958b79364114fcac366ec9ef628e4a800c742..2d1e9265aaedfb11068c4be8503acccd3bd9789d 100644
--- a/app/graphql/mutations/environments/delete.rb
+++ b/app/graphql/mutations/environments/delete.rb
@@ -6,7 +6,7 @@ class Delete < ::Mutations::BaseMutation
graphql_name 'EnvironmentDelete'
description 'Delete an environment.'
- authorize :destroy_environment
+ authorize :delete_environment
argument :id,
::Types::GlobalIDType[::Environment],
diff --git a/app/graphql/types/permission_types/environment.rb b/app/graphql/types/permission_types/environment.rb
index 59c9fce64e5e6f245f5379722f301b8412dd1a84..6a2a3c0e0695b8be3438a052ee72e5c7ed7223f9 100644
--- a/app/graphql/types/permission_types/environment.rb
+++ b/app/graphql/types/permission_types/environment.rb
@@ -5,7 +5,12 @@ module PermissionTypes
class Environment < BasePermissionType
graphql_name 'EnvironmentPermissions'
- abilities :update_environment, :destroy_environment, :stop_environment
+ abilities :update_environment, :delete_environment, :stop_environment
+
+ permission_field(:destroy_environment,
+ deprecated: { milestone: '18.5', reason: :renamed, replacement: 'delete_environment' })
+
+ alias_method :destroy_environment, :delete_environment
end
end
end
diff --git a/app/helpers/environments_helper.rb b/app/helpers/environments_helper.rb
index 3bb5d54bb0cbda2a6cb5928612a34dea3889c67d..8209df2883e5699a60e0eab9c65c5e48b92874ef 100644
--- a/app/helpers/environments_helper.rb
+++ b/app/helpers/environments_helper.rb
@@ -14,7 +14,7 @@ def environments_folder_list_view_data(project, folder)
end
def can_destroy_environment?(environment)
- can?(current_user, :destroy_environment, environment)
+ can?(current_user, :delete_environment, environment)
end
end
diff --git a/app/policies/environment_policy.rb b/app/policies/environment_policy.rb
index 9dc180d58a21059fd37c047d91eb7e9844dd8827..d39c6b6b389741f6fca795de94f555e31f427588 100644
--- a/app/policies/environment_policy.rb
+++ b/app/policies/environment_policy.rb
@@ -18,7 +18,7 @@ class EnvironmentPolicy < BasePolicy
rule { stop_with_deployment_allowed | stop_with_update_allowed }.enable :stop_environment
- rule { ~stopped }.prevent(:destroy_environment)
+ rule { ~stopped }.prevent(:delete_environment)
end
EnvironmentPolicy.prepend_mod_with('EnvironmentPolicy')
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 32c45c903cf022b84c64a31467b802bea2d40aef..6a14612d5831ce1d2294f1bb9b9907777c7bbda5 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -511,7 +511,7 @@ class ProjectPolicy < BasePolicy
prevent :create_environment
prevent :update_environment
prevent :admin_environment
- prevent :destroy_environment
+ prevent :delete_environment
prevent :read_deployment
prevent :create_deployment
@@ -616,7 +616,7 @@ class ProjectPolicy < BasePolicy
enable :destroy_container_registry_protection_tag_rule
enable :create_environment
enable :update_environment
- enable :destroy_environment
+ enable :delete_environment
enable :create_deployment
enable :update_deployment
enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`).
@@ -862,7 +862,7 @@ class ProjectPolicy < BasePolicy
prevent :create_environment
prevent :update_environment
prevent :admin_environment
- prevent :destroy_environment
+ prevent :delete_environment
prevent :read_deployment
prevent :create_deployment
diff --git a/app/serializers/environment_entity.rb b/app/serializers/environment_entity.rb
index 26c737e8c902223e95e9d878e5c21c6929a6d0b3..b5db4502c376e6ba9813384104d92bef3d626532 100644
--- a/app/serializers/environment_entity.rb
+++ b/app/serializers/environment_entity.rb
@@ -63,7 +63,7 @@ class EnvironmentEntity < Grape::Entity
end
expose :can_delete do |environment|
- can?(current_user, :destroy_environment, environment)
+ can?(current_user, :delete_environment, environment)
end
private
diff --git a/app/services/environments/destroy_service.rb b/app/services/environments/destroy_service.rb
index db9faf8d8acc2805d6a748c78188f17a0f40e205..a2a54dea1df4fb37776e5f4337ad3d99482d2415 100644
--- a/app/services/environments/destroy_service.rb
+++ b/app/services/environments/destroy_service.rb
@@ -3,7 +3,7 @@
module Environments
class DestroyService < BaseService
def execute(environment)
- unless can?(current_user, :destroy_environment, environment)
+ unless can?(current_user, :delete_environment, environment)
return ServiceResponse.error(
message: 'Unauthorized to delete the environment'
)
diff --git a/app/services/environments/schedule_to_delete_review_apps_service.rb b/app/services/environments/schedule_to_delete_review_apps_service.rb
index 8e9fe3300c4092a16f6c6fe1425c9b793ba4743c..90412080ea5611a4951442f3c960f1fb9cbfee3c 100644
--- a/app/services/environments/schedule_to_delete_review_apps_service.rb
+++ b/app/services/environments/schedule_to_delete_review_apps_service.rb
@@ -28,7 +28,7 @@ def dry_run?
end
def validate
- return if can?(current_user, :destroy_environment, project)
+ return if can?(current_user, :delete_environment, project)
Result.new(error_message: "You do not have permission to destroy environments in this project", status: :unauthorized)
end
@@ -49,7 +49,7 @@ def unsafe_mark_deletable_environments
.stopped_review_apps(params[:before], params[:limit])
# Check if the actor has write permission to a potentially-protected environment.
- deletable, failed = *environments.partition { |env| current_user.can?(:destroy_environment, env) }
+ deletable, failed = *environments.partition { |env| current_user.can?(:delete_environment, env) }
if deletable.any? && failed.empty?
mark_for_deletion(deletable) unless dry_run?
diff --git a/config/authz/permissions/definitions_todo.txt b/config/authz/permissions/definitions_todo.txt
index bcbed03e9de01760b8118e4f919aa71329d0270e..fe16b1ea9b5f61c459ef78bd74d515d8460a3573 100644
--- a/config/authz/permissions/definitions_todo.txt
+++ b/config/authz/permissions/definitions_todo.txt
@@ -299,7 +299,6 @@ destroy_deploy_token
destroy_deployment
destroy_design
destroy_duo_workflow
-destroy_environment
destroy_epic
destroy_feature_flag
destroy_feature_flags_client
diff --git a/config/authz/permissions/environment/delete.yml b/config/authz/permissions/environment/delete.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8e497235f38bcbdd84b886c7d009b3fdcd34cd47
--- /dev/null
+++ b/config/authz/permissions/environment/delete.yml
@@ -0,0 +1,6 @@
+---
+name: delete_environment
+description: Grants the ability to delete environments
+scopes:
+ - project
+feature_category: continuous_delivery
diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md
index 2ea8358d291a624d5fb3ce86805e2a01078fa7d9..303461385f8c4421a1dd812f57ba19cb9f0fc81d 100644
--- a/doc/api/graphql/reference/_index.md
+++ b/doc/api/graphql/reference/_index.md
@@ -29288,7 +29288,8 @@ Returns [`Deployment`](#deployment).
| Name | Type | Description |
| ---- | ---- | ----------- |
-| `destroyEnvironment` | [`Boolean!`](#boolean) | If `true`, the user can perform `destroy_environment` on this resource. |
+| `deleteEnvironment` | [`Boolean!`](#boolean) | If `true`, the user can perform `delete_environment` on this resource. |
+| `destroyEnvironment` {{< icon name="warning-solid" >}} | [`Boolean!`](#boolean) | **Deprecated** in GitLab 18.5. This was renamed. Use: `delete_environment`. |
| `stopEnvironment` | [`Boolean!`](#boolean) | If `true`, the user can perform `stop_environment` on this resource. |
| `updateEnvironment` | [`Boolean!`](#boolean) | If `true`, the user can perform `update_environment` on this resource. |
diff --git a/ee/app/policies/ee/environment_policy.rb b/ee/app/policies/ee/environment_policy.rb
index d8b6f91da06f46584648c1900f14e16cc2bbcf38..3934c66b205c1760d4a9f801717f624f80bdcf57 100644
--- a/ee/app/policies/ee/environment_policy.rb
+++ b/ee/app/policies/ee/environment_policy.rb
@@ -14,7 +14,7 @@ module EnvironmentPolicy
prevent :create_deployment
prevent :update_deployment
prevent :update_environment
- prevent :destroy_environment
+ prevent :delete_environment
end
end
end
diff --git a/ee/spec/policies/environment_policy_spec.rb b/ee/spec/policies/environment_policy_spec.rb
index 5846e7f71e0ff95005aa8de7091c6e58f98dd9f9..e2563c9191415ac7c60da881f2ccc7d725062bf3 100644
--- a/ee/spec/policies/environment_policy_spec.rb
+++ b/ee/spec/policies/environment_policy_spec.rb
@@ -20,8 +20,8 @@
it_behaves_like 'protected environments access'
end
- describe '#destroy_environment' do
- subject { user.can?(:destroy_environment, environment) }
+ describe '#delete_environment' do
+ subject { user.can?(:delete_environment, environment) }
before do
environment.stop_complete!
diff --git a/lib/api/environments.rb b/lib/api/environments.rb
index 764fc4a02843a0ffea1f67a4a8782804c334ba4f..d17d6595c82f9398ac1756d6eada8f5ca53615cc 100644
--- a/lib/api/environments.rb
+++ b/lib/api/environments.rb
@@ -197,7 +197,7 @@ class Environments < ::API::Base
authorize! :read_environment, user_project
environment = user_project.environments.find(params[:environment_id])
- authorize! :destroy_environment, environment
+ authorize! :delete_environment, environment
destroy_conditionally!(environment)
end
diff --git a/spec/graphql/types/permission_types/environment_spec.rb b/spec/graphql/types/permission_types/environment_spec.rb
index 944699c972a26e699ff4e474460f7f12ab7e1686..ac45c4485431c2884f5d1614f453963104e2d73f 100644
--- a/spec/graphql/types/permission_types/environment_spec.rb
+++ b/spec/graphql/types/permission_types/environment_spec.rb
@@ -5,7 +5,7 @@
RSpec.describe Types::PermissionTypes::Environment, feature_category: :continuous_delivery do
it do
expected_permissions = [
- :update_environment, :destroy_environment, :stop_environment
+ :update_environment, :destroy_environment, :delete_environment, :stop_environment
]
expected_permissions.each do |permission|
diff --git a/spec/policies/environment_policy_spec.rb b/spec/policies/environment_policy_spec.rb
index f0957ff5cc93ef53f4727d62f5c55724931a8b02..a80a5cf4dda7f11a79776e6e4f16b0cecef9e9d8 100644
--- a/spec/policies/environment_policy_spec.rb
+++ b/spec/policies/environment_policy_spec.rb
@@ -104,7 +104,7 @@
end
end
- describe '#destroy_environment' do
+ describe '#delete_environment' do
let(:environment) do
create(:environment, project: project)
end
@@ -122,21 +122,21 @@
project.add_member(user, access_level) unless access_level.nil?
end
- it { expect(policy).to be_disallowed :destroy_environment }
+ it { expect(policy).to be_disallowed :delete_environment }
context 'when environment is stopped' do
before do
environment.stop!
end
- it { expect(policy.allowed?(:destroy_environment)).to be allowed? }
+ it { expect(policy.allowed?(:delete_environment)).to be allowed? }
end
end
context 'when an admin user' do
let(:user) { create(:user, :admin) }
- it { expect(policy).to be_disallowed :destroy_environment }
+ it { expect(policy).to be_disallowed :delete_environment }
context 'when environment is stopped' do
before do
@@ -144,11 +144,11 @@
end
context 'when admin mode is enabled', :enable_admin_mode do
- it { expect(policy).to be_allowed :destroy_environment }
+ it { expect(policy).to be_allowed :delete_environment }
end
context 'when admin mode is disabled' do
- it { expect(policy).to be_disallowed :destroy_environment }
+ it { expect(policy).to be_disallowed :delete_environment }
end
end
end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index d3b3b852dcf365b56b06363591ccc1181e74c013..80ac057f2bf4480f64a1737b466100471ad32ed8 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -578,7 +578,7 @@ def set_access_level(access_level)
builds_permissions = [
:create_build, :read_build, :update_build, :cancel_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule_variables, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
- :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
+ :create_environment, :read_environment, :update_environment, :admin_environment, :delete_environment,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:read_resource_group, :update_resource_group
]
@@ -611,7 +611,7 @@ def set_access_level(access_level)
:create_pipeline, :update_pipeline, :cancel_pipeline, :admin_pipeline, :destroy_pipeline,
:create_build, :read_build, :cancel_build, :update_build, :admin_build, :destroy_build,
:create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
- :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
+ :create_environment, :read_environment, :update_environment, :admin_environment, :delete_environment,
:create_cluster, :read_cluster, :update_cluster, :admin_cluster,
:create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
:download_code, :build_download_code, :read_code,
@@ -2428,7 +2428,7 @@ def set_access_level(access_level)
let(:developer_permissions) do
guest_permissions + [
- :create_environment, :create_deployment, :update_environment, :update_deployment, :destroy_environment
+ :create_environment, :create_deployment, :update_environment, :update_deployment, :delete_environment
]
end