Commit aefd8b23 authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch 'fix/gb/use-merge-ability-for-protected-manual-actions' into 'master'

Check only a merge ability for protected actions

Closes #32618

See merge request !11648
parents a8f45c42 6914aeae
...@@ -23,7 +23,7 @@ module Ci ...@@ -23,7 +23,7 @@ module Ci
!::Gitlab::UserAccess !::Gitlab::UserAccess
.new(user, project: build.project) .new(user, project: build.project)
.can_push_to_branch?(build.ref) .can_merge_to_branch?(build.ref)
end end
end end
end end
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
= icon('caret-down') = icon('caret-down')
%ul.dropdown-menu.dropdown-menu-align-right %ul.dropdown-menu.dropdown-menu-align-right
- actions.each do |action| - actions.each do |action|
- next unless can?(current_user, :update_build, action)
%li %li
= link_to [:play, @project.namespace.becomes(Namespace), @project, action], method: :post, rel: 'nofollow' do = link_to [:play, @project.namespace.becomes(Namespace), @project, action], method: :post, rel: 'nofollow' do
= custom_icon('icon_play') = custom_icon('icon_play')
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
= render 'projects/environments/metrics_button', environment: @environment = render 'projects/environments/metrics_button', environment: @environment
- if can?(current_user, :update_environment, @environment) - if can?(current_user, :update_environment, @environment)
= link_to 'Edit', edit_namespace_project_environment_path(@project.namespace, @project, @environment), class: 'btn' = link_to 'Edit', edit_namespace_project_environment_path(@project.namespace, @project, @environment), class: 'btn'
- if can?(current_user, :create_deployment, @environment) && @environment.can_stop? - if can?(current_user, :stop_environment, @environment)
= link_to 'Stop', stop_namespace_project_environment_path(@project.namespace, @project, @environment), data: { confirm: 'Are you sure you want to stop this environment?' }, class: 'btn btn-danger', method: :post = link_to 'Stop', stop_namespace_project_environment_path(@project.namespace, @project, @environment), data: { confirm: 'Are you sure you want to stop this environment?' }, class: 'btn btn-danger', method: :post
.environments-container .environments-container
......
---
title: Respect merge, instead of push, permissions for protected actions
merge_request: 11648
author:
...@@ -591,7 +591,7 @@ Optional manual actions have `allow_failure: true` set by default. ...@@ -591,7 +591,7 @@ Optional manual actions have `allow_failure: true` set by default.
**Manual actions are considered to be write actions, so permissions for **Manual actions are considered to be write actions, so permissions for
protected branches are used when user wants to trigger an action. In other protected branches are used when user wants to trigger an action. In other
words, in order to trigger a manual action assigned to a branch that the words, in order to trigger a manual action assigned to a branch that the
pipeline is running for, user needs to have ability to push to this branch.** pipeline is running for, user needs to have ability to merge to this branch.**
### environment ### environment
......
...@@ -234,7 +234,11 @@ describe Projects::BuildsController do ...@@ -234,7 +234,11 @@ describe Projects::BuildsController do
describe 'POST play' do describe 'POST play' do
before do before do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
sign_in(user) sign_in(user)
post_play post_play
......
...@@ -12,6 +12,7 @@ feature 'Environment', :feature do ...@@ -12,6 +12,7 @@ feature 'Environment', :feature do
feature 'environment details page' do feature 'environment details page' do
given!(:environment) { create(:environment, project: project) } given!(:environment) { create(:environment, project: project) }
given!(:permissions) { }
given!(:deployment) { } given!(:deployment) { }
given!(:action) { } given!(:action) { }
...@@ -62,13 +63,17 @@ feature 'Environment', :feature do ...@@ -62,13 +63,17 @@ feature 'Environment', :feature do
name: 'deploy to production') name: 'deploy to production')
end end
given(:role) { :master } context 'when user has ability to trigger deployment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does show a play button' do it 'does show a play button' do
expect(page).to have_link(action.name.humanize) expect(page).to have_link(action.name.humanize)
end end
scenario 'does allow to play manual action' do it 'does allow to play manual action' do
expect(action).to be_manual expect(action).to be_manual
expect { click_link(action.name.humanize) } expect { click_link(action.name.humanize) }
...@@ -77,6 +82,13 @@ feature 'Environment', :feature do ...@@ -77,6 +82,13 @@ feature 'Environment', :feature do
expect(page).to have_content(action.name) expect(page).to have_content(action.name)
expect(action.reload).to be_pending expect(action.reload).to be_pending
end end
end
context 'when user has no ability to trigger a deployment' do
it 'does not show a play button' do
expect(page).not_to have_link(action.name.humanize)
end
end
context 'with external_url' do context 'with external_url' do
given(:environment) { create(:environment, project: project, external_url: 'https://git.gitlab.com') } given(:environment) { create(:environment, project: project, external_url: 'https://git.gitlab.com') }
...@@ -134,13 +146,24 @@ feature 'Environment', :feature do ...@@ -134,13 +146,24 @@ feature 'Environment', :feature do
on_stop: 'close_app') on_stop: 'close_app')
end end
given(:role) { :master } context 'when user has ability to stop environment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does allow to stop environment' do it 'allows to stop environment' do
click_link('Stop') click_link('Stop')
expect(page).to have_content('close_app') expect(page).to have_content('close_app')
end end
end
context 'when user has no ability to stop environment' do
it 'does not allow to stop environment' do
expect(page).to have_no_link('Stop')
end
end
context 'for reporter' do context 'for reporter' do
let(:role) { :reporter } let(:role) { :reporter }
...@@ -150,12 +173,6 @@ feature 'Environment', :feature do ...@@ -150,12 +173,6 @@ feature 'Environment', :feature do
end end
end end
end end
context 'without stop action' do
scenario 'does allow to stop environment' do
click_link('Stop')
end
end
end end
context 'when environment is stopped' do context 'when environment is stopped' do
......
...@@ -58,9 +58,12 @@ describe Gitlab::ChatCommands::Command, service: true do ...@@ -58,9 +58,12 @@ describe Gitlab::ChatCommands::Command, service: true do
end end
end end
context 'and user does have deployment permission' do context 'and user has deployment permission' do
before do before do
build.project.add_master(user) build.project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end end
it 'returns action' do it 'returns action' do
......
...@@ -7,7 +7,12 @@ describe Gitlab::ChatCommands::Deploy, service: true do ...@@ -7,7 +7,12 @@ describe Gitlab::ChatCommands::Deploy, service: true do
let(:regex_match) { described_class.match('deploy staging to production') } let(:regex_match) { described_class.match('deploy staging to production') }
before do before do
project.add_master(user) # Make it possible to trigger protected manual actions for developers.
#
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end end
subject do subject do
......
...@@ -224,7 +224,10 @@ describe Gitlab::Ci::Status::Build::Factory do ...@@ -224,7 +224,10 @@ describe Gitlab::Ci::Status::Build::Factory do
context 'when user has ability to play action' do context 'when user has ability to play action' do
before do before do
build.project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end end
it 'fabricates status that has action' do it 'fabricates status that has action' do
......
...@@ -2,6 +2,7 @@ require 'spec_helper' ...@@ -2,6 +2,7 @@ require 'spec_helper'
describe Gitlab::Ci::Status::Build::Play do describe Gitlab::Ci::Status::Build::Play do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { build.project }
let(:build) { create(:ci_build, :manual) } let(:build) { create(:ci_build, :manual) }
let(:status) { Gitlab::Ci::Status::Core.new(build, user) } let(:status) { Gitlab::Ci::Status::Core.new(build, user) }
...@@ -15,8 +16,13 @@ describe Gitlab::Ci::Status::Build::Play do ...@@ -15,8 +16,13 @@ describe Gitlab::Ci::Status::Build::Play do
describe '#has_action?' do describe '#has_action?' do
context 'when user is allowed to update build' do context 'when user is allowed to update build' do
context 'when user can push to branch' do context 'when user is allowed to trigger protected action' do
before { build.project.add_master(user) } before do
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it { is_expected.to have_action } it { is_expected.to have_action }
end end
......
...@@ -227,7 +227,10 @@ describe Environment, models: true do ...@@ -227,7 +227,10 @@ describe Environment, models: true do
context 'when user is allowed to stop environment' do context 'when user is allowed to stop environment' do
before do before do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end end
context 'when action did not yet finish' do context 'when action did not yet finish' do
......
...@@ -3,6 +3,7 @@ require 'spec_helper' ...@@ -3,6 +3,7 @@ require 'spec_helper'
describe BuildEntity do describe BuildEntity do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:build) { create(:ci_build) } let(:build) { create(:ci_build) }
let(:project) { build.project }
let(:request) { double('request') } let(:request) { double('request') }
before do before do
...@@ -52,7 +53,10 @@ describe BuildEntity do ...@@ -52,7 +53,10 @@ describe BuildEntity do
context 'when user is allowed to trigger action' do context 'when user is allowed to trigger action' do
before do before do
build.project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end end
it 'contains path to play action' do it 'contains path to play action' do
......
...@@ -13,8 +13,11 @@ describe Ci::PlayBuildService, '#execute', :services do ...@@ -13,8 +13,11 @@ describe Ci::PlayBuildService, '#execute', :services do
context 'when project does not have repository yet' do context 'when project does not have repository yet' do
let(:project) { create(:empty_project) } let(:project) { create(:empty_project) }
it 'allows user with master role to play build' do it 'allows user to play build if protected branch rules are met' do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
service.execute(build) service.execute(build)
...@@ -45,7 +48,10 @@ describe Ci::PlayBuildService, '#execute', :services do ...@@ -45,7 +48,10 @@ describe Ci::PlayBuildService, '#execute', :services do
let(:build) { create(:ci_build, :manual, pipeline: pipeline) } let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
before do before do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end end
it 'enqueues the build' do it 'enqueues the build' do
...@@ -64,7 +70,10 @@ describe Ci::PlayBuildService, '#execute', :services do ...@@ -64,7 +70,10 @@ describe Ci::PlayBuildService, '#execute', :services do
let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) } let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) }
before do before do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end end
it 'duplicates the build' do it 'duplicates the build' do
......
...@@ -333,10 +333,11 @@ describe Ci::ProcessPipelineService, '#execute', :services do ...@@ -333,10 +333,11 @@ describe Ci::ProcessPipelineService, '#execute', :services do
context 'when pipeline is promoted sequentially up to the end' do context 'when pipeline is promoted sequentially up to the end' do
before do before do
# We are using create(:empty_project), and users has to be master in # Users need ability to merge into a branch in order to trigger
# order to execute manual action when repository does not exist. # protected manual actions.
# #
project.add_master(user) create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end end
it 'properly processes entire pipeline' do it 'properly processes entire pipeline' do
......
...@@ -6,9 +6,12 @@ describe Ci::RetryPipelineService, '#execute', :services do ...@@ -6,9 +6,12 @@ describe Ci::RetryPipelineService, '#execute', :services do
let(:pipeline) { create(:ci_pipeline, project: project) } let(:pipeline) { create(:ci_pipeline, project: project) }
let(:service) { described_class.new(project, user) } let(:service) { described_class.new(project, user) }
context 'when user has ability to modify pipeline' do context 'when user has full ability to modify pipeline' do
before do before do
project.add_master(user) project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: pipeline.ref, project: project)
end end
context 'when there are already retried jobs present' do context 'when there are already retried jobs present' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment