Commit 23bfd8c1 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Consistently check permission for creating pipelines,

updating builds and updating pipelines. We check against
being able to merge or push if the ref is protected.
parent 24a1f0d8
...@@ -169,7 +169,7 @@ module Ci ...@@ -169,7 +169,7 @@ module Ci
Ability.allowed?(user, :create_pipeline, project) && Ability.allowed?(user, :create_pipeline, project) &&
if repo.ref_exists?("#{Gitlab::Git::BRANCH_REF_PREFIX}#{ref}") if repo.ref_exists?("#{Gitlab::Git::BRANCH_REF_PREFIX}#{ref}")
access.can_merge_to_branch?(ref) access.can_push_or_merge_to_branch?(ref)
elsif repo.ref_exists?("#{Gitlab::Git::TAG_REF_PREFIX}#{ref}") elsif repo.ref_exists?("#{Gitlab::Git::TAG_REF_PREFIX}#{ref}")
access.can_create_tag?(ref) access.can_create_tag?(ref)
else else
......
...@@ -11,19 +11,20 @@ module Ci ...@@ -11,19 +11,20 @@ module Ci
cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
end end
if can?(:update_build) && protected_action? if can?(:update_build) && !can_user_update?
cannot! :update_build cannot! :update_build
end end
end end
private private
def protected_action? def can_user_update?
return false unless build.action? user_access.can_push_or_merge_to_branch?(build.ref)
end
!::Gitlab::UserAccess def user_access
@user_access ||= ::Gitlab::UserAccess
.new(user, project: build.project) .new(user, project: build.project)
.can_merge_to_branch?(build.ref)
end end
end end
end end
module Ci module Ci
class PipelinePolicy < BasePolicy class PipelinePolicy < BasePolicy
alias_method :pipeline, :subject
def rules def rules
delegate! @subject.project delegate! pipeline.project
if can?(:update_pipeline) && !can_user_update?
cannot! :update_pipeline
end
end
private
def can_user_update?
user_access.can_push_or_merge_to_branch?(pipeline.ref)
end
def user_access
@user_access ||= ::Gitlab::UserAccess
.new(user, project: pipeline.project)
end end
end end
end end
...@@ -48,6 +48,10 @@ module Gitlab ...@@ -48,6 +48,10 @@ module Gitlab
end end
end end
def can_push_or_merge_to_branch?(ref)
can_push_to_branch?(ref) || can_merge_to_branch?(ref)
end
def can_push_to_branch?(ref) def can_push_to_branch?(ref)
return false unless can_access_git? return false unless can_access_git?
......
...@@ -96,55 +96,37 @@ describe Ci::BuildPolicy, :models do ...@@ -96,55 +96,37 @@ describe Ci::BuildPolicy, :models do
end end
end end
describe 'rules for manual actions' do describe 'rules for protected branch' do
let(:project) { create(:project) } let(:project) { create(:project) }
before do before do
project.add_developer(user) project.add_developer(user)
end
context 'when branch build is assigned to is protected' do
before do
create(:protected_branch, :no_one_can_push,
name: 'some-ref', project: project)
end
context 'when build is a manual action' do create(:protected_branch, branch_policy,
let(:build) do name: build.ref, project: project)
create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) end
end
it 'does not include ability to update build' do
expect(policies).not_to include :update_build
end
end
context 'when build is not a manual action' do context 'when no one can push or merge to the branch' do
let(:build) do let(:branch_policy) { :no_one_can_push }
create(:ci_build, ref: 'some-ref', pipeline: pipeline)
end
it 'includes ability to update build' do it 'does not include ability to update build' do
expect(policies).to include :update_build expect(policies).not_to include :update_build
end
end end
end end
context 'when branch build is assigned to is not protected' do context 'when developers can push to the branch' do
context 'when build is a manual action' do let(:branch_policy) { :developers_can_push }
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
it 'includes ability to update build' do it 'includes ability to update build' do
expect(policies).to include :update_build expect(policies).to include :update_build
end
end end
end
context 'when build is not a manual action' do context 'when developers can push to the branch' do
let(:build) { create(:ci_build, pipeline: pipeline) } let(:branch_policy) { :developers_can_merge }
it 'includes ability to update build' do it 'includes ability to update build' do
expect(policies).to include :update_build expect(policies).to include :update_build
end
end end
end end
end end
......
require 'spec_helper'
describe Ci::PipelinePolicy, :models do
let(:user) { create(:user) }
let(:pipeline) { create(:ci_empty_pipeline, project: project) }
let(:policies) do
described_class.abilities(user, pipeline).to_set
end
describe 'rules' do
describe 'rules for protected branch' do
let(:project) { create(:project) }
before do
project.add_developer(user)
create(:protected_branch, branch_policy,
name: pipeline.ref, project: project)
end
context 'when no one can push or merge to the branch' do
let(:branch_policy) { :no_one_can_push }
it 'does not include ability to update pipeline' do
expect(policies).not_to include :update_pipeline
end
end
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_push }
it 'includes ability to update pipeline' do
expect(policies).to include :update_pipeline
end
end
context 'when developers can push to the branch' do
let(:branch_policy) { :developers_can_merge }
it 'includes ability to update pipeline' do
expect(policies).to include :update_pipeline
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment