Merge branch 'bug/35083-check-permission-for-downstream-pipeline' into 'master'

Add protected branch permission check to run downstream pipelines

See merge request gitlab-org/gitlab!20964

changelogs/unreleased/bug-35083-check-permission-for-downstream-pipeline.yml

+---
+title: Add protected branch permission check to run downstream pipelines
+merge_request: 20964
+author:
+type: fixed

ee/app/services/ci/create_cross_project_pipeline_service.rb

@@ -31,7 +31,12 @@ module Ci
 
     def can_create_cross_pipeline?
       can?(current_user, :update_pipeline, project) &&
-        can?(target_user, :create_pipeline, target_project)
+        can?(target_user, :create_pipeline, target_project) &&
+          can_update_branch?
+    end
+
+    def can_update_branch?
+      ::Gitlab::UserAccess.new(target_user, project: target_project).can_update_branch?(target_ref)
     end
 
     def create_pipeline!

ee/spec/services/ci/create_cross_project_pipeline_service_spec.rb

@@ -223,5 +223,19 @@ describe Ci::CreateCrossProjectPipelineService, '#execute' do
         end
       end
     end
+
+    context 'when user does not have access to push protected branch of downstream project' do
+      before do
+        create(:protected_branch, :maintainers_can_push,
+               project: downstream_project, name: 'feature')
+      end
+
+      it 'changes status of the bridge build' do
+        service.execute(bridge)
+
+        expect(bridge.reload).to be_failed
+        expect(bridge.failure_reason).to eq 'insufficient_bridge_permissions'
+      end
+    end
   end
 end