Commit aefd8b23 authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch 'fix/gb/use-merge-ability-for-protected-manual-actions' into 'master'

Check only a merge ability for protected actions

Closes #32618

See merge request !11648
parents a8f45c42 6914aeae
......@@ -23,7 +23,7 @@ module Ci
!::Gitlab::UserAccess
.new(user, project: build.project)
.can_push_to_branch?(build.ref)
.can_merge_to_branch?(build.ref)
end
end
end
......@@ -8,6 +8,7 @@
= icon('caret-down')
%ul.dropdown-menu.dropdown-menu-align-right
- actions.each do |action|
- next unless can?(current_user, :update_build, action)
%li
= link_to [:play, @project.namespace.becomes(Namespace), @project, action], method: :post, rel: 'nofollow' do
= custom_icon('icon_play')
......
......@@ -13,7 +13,7 @@
= render 'projects/environments/metrics_button', environment: @environment
- if can?(current_user, :update_environment, @environment)
= link_to 'Edit', edit_namespace_project_environment_path(@project.namespace, @project, @environment), class: 'btn'
- if can?(current_user, :create_deployment, @environment) && @environment.can_stop?
- if can?(current_user, :stop_environment, @environment)
= link_to 'Stop', stop_namespace_project_environment_path(@project.namespace, @project, @environment), data: { confirm: 'Are you sure you want to stop this environment?' }, class: 'btn btn-danger', method: :post
.environments-container
......
---
title: Respect merge, instead of push, permissions for protected actions
merge_request: 11648
author:
......@@ -591,7 +591,7 @@ Optional manual actions have `allow_failure: true` set by default.
**Manual actions are considered to be write actions, so permissions for
protected branches are used when user wants to trigger an action. In other
words, in order to trigger a manual action assigned to a branch that the
pipeline is running for, user needs to have ability to push to this branch.**
pipeline is running for, user needs to have ability to merge to this branch.**
### environment
......
......@@ -234,7 +234,11 @@ describe Projects::BuildsController do
describe 'POST play' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
sign_in(user)
post_play
......
......@@ -12,6 +12,7 @@ feature 'Environment', :feature do
feature 'environment details page' do
given!(:environment) { create(:environment, project: project) }
given!(:permissions) { }
given!(:deployment) { }
given!(:action) { }
......@@ -62,13 +63,17 @@ feature 'Environment', :feature do
name: 'deploy to production')
end
given(:role) { :master }
context 'when user has ability to trigger deployment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does show a play button' do
it 'does show a play button' do
expect(page).to have_link(action.name.humanize)
end
scenario 'does allow to play manual action' do
it 'does allow to play manual action' do
expect(action).to be_manual
expect { click_link(action.name.humanize) }
......@@ -77,6 +82,13 @@ feature 'Environment', :feature do
expect(page).to have_content(action.name)
expect(action.reload).to be_pending
end
end
context 'when user has no ability to trigger a deployment' do
it 'does not show a play button' do
expect(page).not_to have_link(action.name.humanize)
end
end
context 'with external_url' do
given(:environment) { create(:environment, project: project, external_url: 'https://git.gitlab.com') }
......@@ -134,13 +146,24 @@ feature 'Environment', :feature do
on_stop: 'close_app')
end
given(:role) { :master }
context 'when user has ability to stop environment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does allow to stop environment' do
it 'allows to stop environment' do
click_link('Stop')
expect(page).to have_content('close_app')
end
end
context 'when user has no ability to stop environment' do
it 'does not allow to stop environment' do
expect(page).to have_no_link('Stop')
end
end
context 'for reporter' do
let(:role) { :reporter }
......@@ -150,12 +173,6 @@ feature 'Environment', :feature do
end
end
end
context 'without stop action' do
scenario 'does allow to stop environment' do
click_link('Stop')
end
end
end
context 'when environment is stopped' do
......
......@@ -58,9 +58,12 @@ describe Gitlab::ChatCommands::Command, service: true do
end
end
context 'and user does have deployment permission' do
context 'and user has deployment permission' do
before do
build.project.add_master(user)
build.project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'returns action' do
......
......@@ -7,7 +7,12 @@ describe Gitlab::ChatCommands::Deploy, service: true do
let(:regex_match) { described_class.match('deploy staging to production') }
before do
project.add_master(user)
# Make it possible to trigger protected manual actions for developers.
#
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
subject do
......
......@@ -224,7 +224,10 @@ describe Gitlab::Ci::Status::Build::Factory do
context 'when user has ability to play action' do
before do
build.project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'fabricates status that has action' do
......
......@@ -2,6 +2,7 @@ require 'spec_helper'
describe Gitlab::Ci::Status::Build::Play do
let(:user) { create(:user) }
let(:project) { build.project }
let(:build) { create(:ci_build, :manual) }
let(:status) { Gitlab::Ci::Status::Core.new(build, user) }
......@@ -15,8 +16,13 @@ describe Gitlab::Ci::Status::Build::Play do
describe '#has_action?' do
context 'when user is allowed to update build' do
context 'when user can push to branch' do
before { build.project.add_master(user) }
context 'when user is allowed to trigger protected action' do
before do
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it { is_expected.to have_action }
end
......
......@@ -227,7 +227,10 @@ describe Environment, models: true do
context 'when user is allowed to stop environment' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
context 'when action did not yet finish' do
......
......@@ -3,6 +3,7 @@ require 'spec_helper'
describe BuildEntity do
let(:user) { create(:user) }
let(:build) { create(:ci_build) }
let(:project) { build.project }
let(:request) { double('request') }
before do
......@@ -52,7 +53,10 @@ describe BuildEntity do
context 'when user is allowed to trigger action' do
before do
build.project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
it 'contains path to play action' do
......
......@@ -13,8 +13,11 @@ describe Ci::PlayBuildService, '#execute', :services do
context 'when project does not have repository yet' do
let(:project) { create(:empty_project) }
it 'allows user with master role to play build' do
project.add_master(user)
it 'allows user to play build if protected branch rules are met' do
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
service.execute(build)
......@@ -45,7 +48,10 @@ describe Ci::PlayBuildService, '#execute', :services do
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'enqueues the build' do
......@@ -64,7 +70,10 @@ describe Ci::PlayBuildService, '#execute', :services do
let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) }
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'duplicates the build' do
......
......@@ -333,10 +333,11 @@ describe Ci::ProcessPipelineService, '#execute', :services do
context 'when pipeline is promoted sequentially up to the end' do
before do
# We are using create(:empty_project), and users has to be master in
# order to execute manual action when repository does not exist.
# Users need ability to merge into a branch in order to trigger
# protected manual actions.
#
project.add_master(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
it 'properly processes entire pipeline' do
......
......@@ -6,9 +6,12 @@ describe Ci::RetryPipelineService, '#execute', :services do
let(:pipeline) { create(:ci_pipeline, project: project) }
let(:service) { described_class.new(project, user) }
context 'when user has ability to modify pipeline' do
context 'when user has full ability to modify pipeline' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: pipeline.ref, project: project)
end
context 'when there are already retried jobs present' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment