diff options
author | Lin Jen-Shin <godfat@godfat.org> | 2017-07-18 16:31:29 +0800 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2017-07-18 16:42:13 +0800 |
commit | 7426e616e859671622cea96755cb5b1e09fd9abe (patch) | |
tree | f83c713abfa6c1f7b3b9b1e0e7af61d36e8f02b5 | |
parent | ef2e9879b9f4b730be2f950aa60db8b503f332b5 (diff) | |
download | gitlab-ce-7426e616e859671622cea96755cb5b1e09fd9abe.tar.gz |
Make sure it checks against the tag only when it's a tag34927-protect-manual-actions-on-tags
-rw-r--r-- | app/policies/ci/build_policy.rb | 5 | ||||
-rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 19 |
2 files changed, 23 insertions, 1 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 71ecb5bca8d..386822d3ff6 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -5,8 +5,11 @@ module Ci access = ::Gitlab::UserAccess.new(@user, project: @subject.project) - !access.can_merge_to_branch?(@subject.ref) || + if @subject.tag? !access.can_create_tag?(@subject.ref) + else + !access.can_merge_to_branch?(@subject.ref) + end end rule { protected_action }.prevent :update_build diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index aa62e675d37..9f3212b1a63 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -138,11 +138,30 @@ describe Ci::BuildPolicy, :models do before do create(:protected_tag, :no_one_can_create, name: 'some-ref', project: project) + + build.update(tag: true) end it_behaves_like 'protected ref' end + context 'when build is against a protected tag but it is not a tag' do + before do + create(:protected_tag, :no_one_can_create, + name: 'some-ref', project: project) + end + + context 'when build is a manual action' do + let(:build) do + create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) + end + + it 'includes ability to update build' do + expect(policy).to be_allowed :update_build + end + end + end + context 'when branch build is assigned to is not protected' do context 'when build is a manual action' do let(:build) { create(:ci_build, :manual, pipeline: pipeline) } |