Commit 1247ae0d authored by Shinya Maeda's avatar Shinya Maeda

Add functionality and security.

parent 3ea04616
...@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController ...@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
end end
def update def update
return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
if Ci::CreatePipelineScheduleService if Ci::CreatePipelineScheduleService
.new(@project, current_user, schedule_params).update(schedule) .new(@project, current_user, schedule_params).update(schedule)
redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project) redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project)
......
module Ci module Ci
class PipelineSchedulePolicy < PipelinePolicy class PipelineSchedulePolicy < PipelinePolicy
alias_method :pipeline_schedule, :subject
def rules
super
access = pipeline_schedule.project.team.max_member_access(user.id)
if access == Gitlab::Access::DEVELOPER && pipeline_schedule.owner != user
cannot! :update_pipeline_schedule
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment