Use route_setting authentication job_token_allowed to be true

e2135248 · Kamil Trzcinski · b500d58c · e2135248 · b500d58c · e2135248
Commit e2135248 authored Jul 25, 2017 by Kamil Trzcinski
5 changed files
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -33,9 +33,10 @@ class Ability
    end

    def allowed?(user, action, subject = :global, opts = {})
-      return user.abilities.include?(action) if user.is_a?(Ci::JobUser)
+      if subject.is_a?(Hash)
+        opts, subject = subject, :global
+      end

-      opts, subject = subject, :global if subject.is_a?(Hash)
      policy = policy_for(user, subject)

      case opts[:scope]

--- a/app/models/ci/job_user.rb
+++ b/app/models/ci/job_user.rb
-module Ci
-  # Empty class to differenciate between users that have authenticated by
-  # CI_JOB_TOKEN
-  class JobUser < User
-    def abilities
-      %i[read_build read_project access_git access_api]
-    end
-  end
-end
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -27,6 +27,4 @@ class BasePolicy < DeclarativePolicy::Base

  with_scope :global
  condition(:license_block) { License.block_changes? }
-
-  rule { ci_job_user }.prevent_all
 end
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -89,13 +89,13 @@ module API
      end

      def find_user_by_ci_token
+        return nil unless route_authentication_setting[:job_token_allowed]
+
        job_token = params[CI_JOB_TOKEN_PARAM].to_s

        return nil unless job_token.present?

-        user = Ci::Build.find_by_token(job_token)&.user
-
-        user.becomes(Ci::JobUser) if user
+        Ci::Build.find_by_token(job_token)&.user
      end

      def current_user
@@ -104,6 +104,10 @@ module API

      private

+      def route_authentication_setting
+        route_setting(:authentication) || {}
+      end
+
      def find_user_by_authentication_token(token_string)
        User.find_by_authentication_token(token_string)
      end

--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -77,6 +77,7 @@ module API
      params do
        requires :job_id, type: Integer, desc: 'The ID of a job'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/jobs/:job_id/artifacts' do
        authorize_read_builds!

@@ -92,6 +93,7 @@ module API
        requires :ref_name, type: String, desc: 'The ref from repository'
        requires :job,      type: String, desc: 'The name for the job'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/jobs/artifacts/:ref_name/download',
        requirements: { ref_name: /.+/ } do
        authorize_read_builds!