Skip to content

G
gitlab-ce
Commit e2135248 authored by Kamil Trzcinski's avatar Kamil Trzcinski
Browse files
Options

Use route_setting authentication job_token_allowed to be true

parent b500d58c
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 16 deletions
app/models/ability.rb
View file @ e2135248
...@@ -33,9 +33,10 @@ class Ability ...@@ -33,9 +33,10 @@ class Ability
end end
def allowed?(user, action, subject = :global, opts = {}) def allowed?(user, action, subject = :global, opts = {})
return user.abilities.include?(action) if user.is_a?(Ci::JobUser) if subject.is_a?(Hash)
opts, subject = subject, :global
end
opts, subject = subject, :global if subject.is_a?(Hash)
policy = policy_for(user, subject) policy = policy_for(user, subject)
case opts[:scope] case opts[:scope]
......
app/models/ci/job_user.rb deleted 100644 → 0
View file @ b500d58c
module Ci
# Empty class to differenciate between users that have authenticated by
# CI_JOB_TOKEN
class JobUser < User
def abilities
%i[read_build read_project access_git access_api]
end
end
end
app/policies/base_policy.rb
View file @ e2135248
...@@ -27,6 +27,4 @@ class BasePolicy < DeclarativePolicy::Base ...@@ -27,6 +27,4 @@ class BasePolicy < DeclarativePolicy::Base
with_scope :global with_scope :global
condition(:license_block) { License.block_changes? } condition(:license_block) { License.block_changes? }
rule { ci_job_user }.prevent_all
end end
lib/api/api_guard.rb
View file @ e2135248
...@@ -89,13 +89,13 @@ module API ...@@ -89,13 +89,13 @@ module API
end end
def find_user_by_ci_token def find_user_by_ci_token
return nil unless route_authentication_setting[:job_token_allowed]
job_token = params[CI_JOB_TOKEN_PARAM].to_s job_token = params[CI_JOB_TOKEN_PARAM].to_s
return nil unless job_token.present? return nil unless job_token.present?
user = Ci::Build.find_by_token(job_token)&.user Ci::Build.find_by_token(job_token)&.user
user.becomes(Ci::JobUser) if user
end end
def current_user def current_user
...@@ -104,6 +104,10 @@ module API ...@@ -104,6 +104,10 @@ module API
private private
def route_authentication_setting
route_setting(:authentication) || {}
end
def find_user_by_authentication_token(token_string) def find_user_by_authentication_token(token_string)
User.find_by_authentication_token(token_string) User.find_by_authentication_token(token_string)
end end
......
lib/api/jobs.rb
View file @ e2135248
...@@ -77,6 +77,7 @@ module API ...@@ -77,6 +77,7 @@ module API
params do params do
requires :job_id, type: Integer, desc: 'The ID of a job' requires :job_id, type: Integer, desc: 'The ID of a job'
end end
route_setting :authentication, job_token_allowed: true
get ':id/jobs/:job_id/artifacts' do get ':id/jobs/:job_id/artifacts' do
authorize_read_builds! authorize_read_builds!
...@@ -92,6 +93,7 @@ module API ...@@ -92,6 +93,7 @@ module API
requires :ref_name, type: String, desc: 'The ref from repository' requires :ref_name, type: String, desc: 'The ref from repository'
requires :job, type: String, desc: 'The name for the job' requires :job, type: String, desc: 'The name for the job'
end end
route_setting :authentication, job_token_allowed: true
get ':id/jobs/artifacts/:ref_name/download', get ':id/jobs/artifacts/:ref_name/download',
requirements: { ref_name: /.+/ } do requirements: { ref_name: /.+/ } do
authorize_read_builds! authorize_read_builds!
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7