Skip to content

G
gitlab-ce
Commit 6e8ea52b authored by Shinya Maeda's avatar Shinya Maeda
Browse files
Options

Add functionality and security.

parent e364c118
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 312 additions and 239 deletions
app/controllers/projects/pipeline_schedules_controller.rb
View file @ 6e8ea52b
......@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
end
def update
return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
if Ci::CreatePipelineScheduleService
.new(@project, current_user, schedule_params).update(schedule)
redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project)
......
app/policies/ci/pipeline_schedule_policy.rb
View file @ 6e8ea52b
......@@ -2,24 +2,14 @@ module Ci
class PipelineSchedulePolicy < PipelinePolicy
alias_method :pipeline_schedule, :subject
condition(:protected_action) do
owned_by_developer? && owned_by_another?
end
rule { protected_action }.prevent :update_pipeline_schedule
private
def owned_by_developer?
return false unless @user
pipeline_schedule.project.team.developer?(@user)
end
def rules
super
def owned_by_another?
return false unless @user
access = pipeline_schedule.project.team.max_member_access(user.id)
!pipeline_schedule.owned_by?(@user)
if access == Gitlab::Access::DEVELOPER && pipeline_schedule.owner != user
cannot! :update_pipeline_schedule
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7