Commit 23bfd8c1 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Consistently check permission for creating pipelines,

updating builds and updating pipelines. We check against
being able to merge or push if the ref is protected.
parent 24a1f0d8
......@@ -169,7 +169,7 @@ module Ci
Ability.allowed?(user, :create_pipeline, project) &&
if repo.ref_exists?("#{Gitlab::Git::BRANCH_REF_PREFIX}#{ref}")
access.can_merge_to_branch?(ref)
access.can_push_or_merge_to_branch?(ref)
elsif repo.ref_exists?("#{Gitlab::Git::TAG_REF_PREFIX}#{ref}")
access.can_create_tag?(ref)
else
......
......@@ -11,19 +11,20 @@ module Ci
cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
end
if can?(:update_build) && protected_action?
if can?(:update_build) && !can_user_update?
cannot! :update_build
end
end
private
def protected_action?
return false unless build.action?
def can_user_update?
user_access.can_push_or_merge_to_branch?(build.ref)
end
!::Gitlab::UserAccess
def user_access
@user_access ||= ::Gitlab::UserAccess
.new(user, project: build.project)
.can_merge_to_branch?(build.ref)
end
end
end
module Ci
class PipelinePolicy < BasePolicy
alias_method :pipeline, :subject
def rules
delegate! @subject.project
delegate! pipeline.project
if can?(:update_pipeline) && !can_user_update?
cannot! :update_pipeline
end
end
private
def can_user_update?
user_access.can_push_or_merge_to_branch?(pipeline.ref)
end
def user_access
@user_access ||= ::Gitlab::UserAccess
.new(user, project: pipeline.project)
end
end
end
......@@ -48,6 +48,10 @@ module Gitlab
end
end
def can_push_or_merge_to_branch?(ref)
can_push_to_branch?(ref) || can_merge_to_branch?(ref)
end
def can_push_to_branch?(ref)
return false unless can_access_git?
......
......@@ -96,57 +96,39 @@ describe Ci::BuildPolicy, :models do
end
end
describe 'rules for manual actions' do
describe 'rules for protected branch' do
let(:project) { create(:project) }
before do
project.add_developer(user)
end
context 'when branch build is assigned to is protected' do
before do
create(:protected_branch, :no_one_can_push,
name: 'some-ref', project: project)
create(:protected_branch, branch_policy,
name: build.ref, project: project)
end
context 'when build is a manual action' do
let(:build) do
create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
end
context 'when no one can push or merge to the branch' do
let(:branch_policy) { :no_one_can_push }
it 'does not include ability to update build' do
expect(policies).not_to include :update_build
end
end
context 'when build is not a manual action' do
let(:build) do
create(:ci_build, ref: 'some-ref', pipeline: pipeline)
end
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_push }
it 'includes ability to update build' do
expect(policies).to include :update_build
end
end
end
context 'when branch build is assigned to is not protected' do
context 'when build is a manual action' do
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_merge }
it 'includes ability to update build' do
expect(policies).to include :update_build
end
end
context 'when build is not a manual action' do
let(:build) { create(:ci_build, pipeline: pipeline) }
it 'includes ability to update build' do
expect(policies).to include :update_build
end
end
end
end
end
end
require 'spec_helper'
describe Ci::PipelinePolicy, :models do
let(:user) { create(:user) }
let(:pipeline) { create(:ci_empty_pipeline, project: project) }
let(:policies) do
described_class.abilities(user, pipeline).to_set
end
describe 'rules' do
describe 'rules for protected branch' do
let(:project) { create(:project) }
before do
project.add_developer(user)
create(:protected_branch, branch_policy,
name: pipeline.ref, project: project)
end
context 'when no one can push or merge to the branch' do
let(:branch_policy) { :no_one_can_push }
it 'does not include ability to update pipeline' do
expect(policies).not_to include :update_pipeline
end
end
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_push }
it 'includes ability to update pipeline' do
expect(policies).to include :update_pipeline
end
end
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_merge }
it 'includes ability to update pipeline' do
expect(policies).to include :update_pipeline
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment