Allow user owns_runner? callsite
Background
In #337077 (closed), we disallowed any queries that joined between tables in main:
and ci:
databases. e.g. (SELECT * from projects INNER JOIN ci_builds ON ci_builds.project_id = projects.id
is forbidden).
There are of course existing queries that cross databases. These are allowlisted by allowing the specs that produce them, the list is in spec/support/database/cross-join-allowlist.yml.
In some cases, the spec allowlist is probably too broad so we switch to using an alternative allowlist method using allow_cross_joins_across_databases
. This also allows us to annotate with the issue link where we will be fixing the cross-database query.
What does this MR do?
Allow user owns_runner? callsite for cross-database query check purposes. Tidies up policy to not have AR methods, adds specs
Related issue: #339299 (closed)