Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9a4e2a4e
Commit
9a4e2a4e
authored
Oct 30, 2019
by
nicolasdular
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Only allow confirmed users to run pipelines
This should make it harder for bots to make use of free CI minutes
parent
591f7c20
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
41 additions
and
4 deletions
+41
-4
app/policies/project_policy.rb
app/policies/project_policy.rb
+11
-4
changelogs/unreleased/nicolasdular-confirm-email-before-ci-usage.yml
...unreleased/nicolasdular-confirm-email-before-ci-usage.yml
+5
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+25
-0
No files found.
app/policies/project_policy.rb
View file @
9a4e2a4e
...
...
@@ -117,6 +117,10 @@ class ProjectPolicy < BasePolicy
!
@subject
.
builds_enabled?
end
condition
(
:user_confirmed?
)
do
@user
&&
@user
.
confirmed?
end
features
=
%w[
merge_requests
issues
...
...
@@ -249,10 +253,7 @@ class ProjectPolicy < BasePolicy
enable
:update_commit_status
enable
:create_build
enable
:update_build
enable
:create_pipeline
enable
:update_pipeline
enable
:read_pipeline_schedule
enable
:create_pipeline_schedule
enable
:create_merge_request_from
enable
:create_wiki
enable
:push_code
...
...
@@ -267,6 +268,12 @@ class ProjectPolicy < BasePolicy
enable
:update_release
end
rule
{
can?
(
:developer_access
)
&
user_confirmed?
}.
policy
do
enable
:create_pipeline
enable
:update_pipeline
enable
:create_pipeline_schedule
end
rule
{
can?
(
:maintainer_access
)
}.
policy
do
enable
:admin_board
enable
:push_to_delete_protected_branch
...
...
@@ -418,7 +425,7 @@ class ProjectPolicy < BasePolicy
# These rules are included to allow maintainers of projects to push to certain
# to run pipelines for the branches they have access to.
rule
{
can?
(
:public_access
)
&
has_merge_requests_allowing_pushes
}.
policy
do
rule
{
can?
(
:public_access
)
&
has_merge_requests_allowing_pushes
&
user_confirmed?
}.
policy
do
enable
:create_build
enable
:create_pipeline
end
...
...
changelogs/unreleased/nicolasdular-confirm-email-before-ci-usage.yml
0 → 100644
View file @
9a4e2a4e
---
title
:
Only allow confirmed users to run pipelines
merge_request
:
author
:
type
:
fixed
spec/policies/project_policy_spec.rb
View file @
9a4e2a4e
...
...
@@ -315,6 +315,31 @@ describe ProjectPolicy do
end
end
context
'pipeline feature'
do
let
(
:project
)
{
create
(
:project
)
}
describe
'for unconfirmed user'
do
let
(
:unconfirmed_user
)
{
create
(
:user
,
confirmed_at:
nil
)
}
subject
{
described_class
.
new
(
unconfirmed_user
,
project
)
}
it
'disallows to modify pipelines'
do
expect_disallowed
(
:create_pipeline
)
expect_disallowed
(
:update_pipeline
)
expect_disallowed
(
:create_pipeline_schedule
)
end
end
describe
'for confirmed user'
do
subject
{
described_class
.
new
(
developer
,
project
)
}
it
'allows modify pipelines'
do
expect_allowed
(
:create_pipeline
)
expect_allowed
(
:update_pipeline
)
expect_allowed
(
:create_pipeline_schedule
)
end
end
end
context
'builds feature'
do
context
'when builds are disabled'
do
subject
{
described_class
.
new
(
owner
,
project
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment