Remove Ci::Runner resource type handling from Authz::CustomAbility (!209733) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Update RunnerPolicy to check for if user has the read_runners custom ability on the runner's owner Project or Group
Remove handling of Ci::Runner from Authz::CustomAbility – custom abilities should always be checked against a project or a group they are granted for

References

https://gitlab.com/gitlab-org/gitlab/-/issues/576900+.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 22, 2025 by Eugie Limpin

Remove Ci::Runner resource type handling from Authz::CustomAbility

What does this MR do and why?

References

MR acceptance checklist

Merge request reports