Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
7320684c
Commit
7320684c
authored
May 09, 2018
by
Dylan Griffith
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use can? policies for lib/api/runners.rb
parent
846f73b5
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
9 additions
and
13 deletions
+9
-13
app/policies/ci/runner_policy.rb
app/policies/ci/runner_policy.rb
+4
-4
lib/api/runners.rb
lib/api/runners.rb
+5
-9
No files found.
app/policies/ci/runner_policy.rb
View file @
7320684c
module
Ci
module
Ci
class
RunnerPolicy
<
BasePolicy
class
RunnerPolicy
<
BasePolicy
with_options
scope: :subject
,
score:
0
condition
(
:shared
)
{
@subject
.
is_shared?
}
with_options
scope: :subject
,
score:
0
with_options
scope: :subject
,
score:
0
condition
(
:locked
,
scope: :subject
)
{
@subject
.
locked?
}
condition
(
:locked
,
scope: :subject
)
{
@subject
.
locked?
}
...
@@ -10,7 +7,10 @@ module Ci
...
@@ -10,7 +7,10 @@ module Ci
rule
{
anonymous
}.
prevent_all
rule
{
anonymous
}.
prevent_all
rule
{
admin
|
authorized_runner
}.
enable
:assign_runner
rule
{
admin
|
authorized_runner
}.
enable
:assign_runner
rule
{
~
admin
&
shared
}.
prevent
:assign_runner
rule
{
admin
|
authorized_runner
}.
enable
:read_runner
rule
{
admin
|
authorized_runner
}.
enable
:update_runner
rule
{
admin
|
authorized_runner
}.
enable
:delete_runner
rule
{
admin
|
authorized_runner
}.
enable
:list_runner_jobs
rule
{
~
admin
&
locked
}.
prevent
:assign_runner
rule
{
~
admin
&
locked
}.
prevent
:assign_runner
end
end
end
end
lib/api/runners.rb
View file @
7320684c
...
@@ -184,14 +184,14 @@ module API
...
@@ -184,14 +184,14 @@ module API
def
authenticate_show_runner!
(
runner
)
def
authenticate_show_runner!
(
runner
)
return
if
runner
.
is_shared
||
current_user
.
admin?
return
if
runner
.
is_shared
||
current_user
.
admin?
forbidden!
(
"No access granted"
)
unless
user_can_access_runner?
(
runner
)
forbidden!
(
"No access granted"
)
unless
can?
(
current_user
,
:read_runner
,
runner
)
end
end
def
authenticate_update_runner!
(
runner
)
def
authenticate_update_runner!
(
runner
)
return
if
current_user
.
admin?
return
if
current_user
.
admin?
forbidden!
(
"Runner is shared"
)
if
runner
.
is_shared?
forbidden!
(
"Runner is shared"
)
if
runner
.
is_shared?
forbidden!
(
"No access granted"
)
unless
user_can_access_runner?
(
runner
)
forbidden!
(
"No access granted"
)
unless
can?
(
current_user
,
:update_runner
,
runner
)
end
end
def
authenticate_delete_runner!
(
runner
)
def
authenticate_delete_runner!
(
runner
)
...
@@ -199,7 +199,7 @@ module API
...
@@ -199,7 +199,7 @@ module API
forbidden!
(
"Runner is shared"
)
if
runner
.
is_shared?
forbidden!
(
"Runner is shared"
)
if
runner
.
is_shared?
forbidden!
(
"Runner associated with more than one project"
)
if
runner
.
projects
.
count
>
1
forbidden!
(
"Runner associated with more than one project"
)
if
runner
.
projects
.
count
>
1
forbidden!
(
"No access granted"
)
unless
user_can_access_runner?
(
runner
)
forbidden!
(
"No access granted"
)
unless
can?
(
current_user
,
:delete_runner
,
runner
)
end
end
def
authenticate_enable_runner!
(
runner
)
def
authenticate_enable_runner!
(
runner
)
...
@@ -208,17 +208,13 @@ module API
...
@@ -208,17 +208,13 @@ module API
forbidden!
(
"Runner is a group runner"
)
if
runner
.
group_type?
forbidden!
(
"Runner is a group runner"
)
if
runner
.
group_type?
return
if
current_user
.
admin?
return
if
current_user
.
admin?
forbidden!
(
"No access granted"
)
unless
user_can_access_runner?
(
runner
)
forbidden!
(
"No access granted"
)
unless
can?
(
current_user
,
:assign_runner
,
runner
)
end
end
def
authenticate_list_runners_jobs!
(
runner
)
def
authenticate_list_runners_jobs!
(
runner
)
return
if
current_user
.
admin?
return
if
current_user
.
admin?
forbidden!
(
"No access granted"
)
unless
user_can_access_runner?
(
runner
)
forbidden!
(
"No access granted"
)
unless
can?
(
current_user
,
:list_runner_jobs
,
runner
)
end
def
user_can_access_runner?
(
runner
)
current_user
.
ci_authorized_runners
.
exists?
(
runner
.
id
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment