Commit c3d897a9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Properly handle commit status permissions (for a build)

parent e80c79e3
...@@ -5,6 +5,12 @@ class Ability ...@@ -5,6 +5,12 @@ class Ability
return [] unless user.is_a?(User) return [] unless user.is_a?(User)
return [] if user.blocked? return [] if user.blocked?
if subject.is_a?(CommitStatus)
rules = project_abilities(user, subject)
rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
return rules
end
case subject.class.name case subject.class.name
when "Project" then project_abilities(user, subject) when "Project" then project_abilities(user, subject)
when "Issue" then issue_abilities(user, subject) when "Issue" then issue_abilities(user, subject)
...@@ -25,6 +31,10 @@ class Ability ...@@ -25,6 +31,10 @@ class Ability
case true case true
when subject.is_a?(PersonalSnippet) when subject.is_a?(PersonalSnippet)
anonymous_personal_snippet_abilities(subject) anonymous_personal_snippet_abilities(subject)
when subject.is_a?(CommitStatus)
rules = anonymous_project_abilities(subject)
rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
rules
when subject.is_a?(Project) || subject.respond_to?(:project) when subject.is_a?(Project) || subject.respond_to?(:project)
anonymous_project_abilities(subject) anonymous_project_abilities(subject)
when subject.is_a?(Group) || subject.respond_to?(:group) when subject.is_a?(Group) || subject.respond_to?(:group)
...@@ -396,6 +406,18 @@ class Ability ...@@ -396,6 +406,18 @@ class Ability
rules rules
end end
def filter_build_abilities(rules)
# If we can't read build we should also not have that
# ability when looking at this in context of commit_status
unless rules.include?(:read_build)
rules -= [:read_commit_status]
end
unless rules.include?(:update_build)
rules -= [:update_commit_status]
end
rules
end
def abilities def abilities
@abilities ||= begin @abilities ||= begin
abilities = Six.new abilities = Six.new
......
%tr.commit_status %tr.commit_status
%td.status %td.status
- if commit_status.target_url - if can?(current_user, :read_commit_status, commit_status) && commit_status.target_url
= link_to commit_status.target_url, class: "ci-status ci-#{commit_status.status}" do = link_to commit_status.target_url, class: "ci-status ci-#{commit_status.status}" do
= ci_icon_for_status(commit_status.status) = ci_icon_for_status(commit_status.status)
= commit_status.status = commit_status.status
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
= ci_status_with_icon(commit_status.status) = ci_status_with_icon(commit_status.status)
%td.commit_status-link %td.commit_status-link
- if can?(current_user, :read_build, commit_status.project) && commit_status.target_url - if can?(current_user, :read_commit_status, commit_status) && commit_status.target_url
= link_to commit_status.target_url do = link_to commit_status.target_url do
%strong ##{commit_status.id} %strong ##{commit_status.id}
- else - else
...@@ -66,10 +66,10 @@ ...@@ -66,10 +66,10 @@
%td %td
.pull-right .pull-right
- if can?(current_user, :read_build, commit_status.project) && commit_status.artifacts_download_url - if can?(current_user, :read_commit_status, commit_status) && commit_status.artifacts_download_url
= link_to commit_status.artifacts_download_url, title: 'Download artifacts' do = link_to commit_status.artifacts_download_url, title: 'Download artifacts' do
%i.fa.fa-download %i.fa.fa-download
- if can?(current_user, :update_build, commit_status.project) - if can?(current_user, :update_commit_status, commit_status)
- if commit_status.active? - if commit_status.active?
- if commit_status.cancel_url - if commit_status.cancel_url
= link_to commit_status.cancel_url, method: :post, title: 'Cancel' do = link_to commit_status.cancel_url, method: :post, title: 'Cancel' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment