Add permission check to pipeline tour

- only initiate the tour entry point based on if this feature exists and if user has proper permissions.

Add permission check to pipeline tour
- only initiate the tour entry point based on if this feature exists and if user has proper permissions.
77d12c4a · Doug Stull · Jan Provaznik · 983f665d · 77d12c4a · 77d12c4a
Commit 77d12c4a authored Feb 24, 2020 by Doug Stull Committed by Jan Provaznik Feb 27, 2020
Showing with 12 additions and 0 deletions

app/serializers/merge_request_widget_entity.rb app/serializers/merge_request_widget_entity.rb +2 -0

spec/serializers/merge_request_widget_entity_spec.rb spec/serializers/merge_request_widget_entity_spec.rb +10 -0

No files found.
--- a/app/serializers/merge_request_widget_entity.rb
+++ b/app/serializers/merge_request_widget_entity.rb
@@ -94,6 +94,8 @@ class MergeRequestWidgetEntity < Grape::Entity
    merge_request.source_project&.uses_default_ci_config? &&
      merge_request.all_pipelines.none? &&
      merge_request.commits_count.positive? &&
+      can?(current_user, :read_build, merge_request.source_project) &&
+      can?(current_user, :create_pipeline, merge_request.source_project) &&
      can?(current_user, :push_code, merge_request.source_project)
  end
 end

--- a/spec/serializers/merge_request_widget_entity_spec.rb
+++ b/spec/serializers/merge_request_widget_entity_spec.rb
@@ -123,6 +123,16 @@ describe MergeRequestWidgetEntity do
            expect(subject[:merge_request_add_ci_config_path]).not_to be_nil
          end
        end
+
+        context 'when feature is disabled' do
+          before do
+            project.project_feature.update(repository_access_level: ProjectFeature::DISABLED)
+          end
+
+          it 'has no path' do
+            expect(subject[:merge_request_add_ci_config_path]).to be_nil
+          end
+        end
      end

      context 'when user does not have permissions' do