Add protected branch permission check to run downstream pipelines

baf43a0a · Furkan Ayhan · ecf2d069 · baf43a0a · baf43a0a · baf43a0a
Commit baf43a0a authored Nov 29, 2019 by Furkan Ayhan
3 changed files
--- a/changelogs/unreleased/bug-35083-check-permission-for-downstream-pipeline.yml
+++ b/changelogs/unreleased/bug-35083-check-permission-for-downstream-pipeline.yml
+---
+title: Add protected branch permission check to run downstream pipelines
+merge_request: 20964
+author:
+type: fixed
--- a/ee/app/services/ci/create_cross_project_pipeline_service.rb
+++ b/ee/app/services/ci/create_cross_project_pipeline_service.rb
@@ -31,7 +31,12 @@ module Ci

    def can_create_cross_pipeline?
      can?(current_user, :update_pipeline, project) &&
-        can?(target_user, :create_pipeline, target_project)
+        can?(target_user, :create_pipeline, target_project) &&
+          can_update_branch?
+    end
+
+    def can_update_branch?
+      ::Gitlab::UserAccess.new(target_user, project: target_project).can_update_branch?(target_ref)
    end

    def create_pipeline!

--- a/ee/spec/services/ci/create_cross_project_pipeline_service_spec.rb
+++ b/ee/spec/services/ci/create_cross_project_pipeline_service_spec.rb
@@ -223,5 +223,19 @@ describe Ci::CreateCrossProjectPipelineService, '#execute' do
        end
      end
    end
+
+    context 'when user does not have access to push protected branch of downstream project' do
+      before do
+        create(:protected_branch, :maintainers_can_push,
+               project: downstream_project, name: 'feature')
+      end
+
+      it 'changes status of the bridge build' do
+        service.execute(bridge)
+
+        expect(bridge.reload).to be_failed
+        expect(bridge.failure_reason).to eq 'insufficient_bridge_permissions'
+      end
+    end
  end
 end