diff options
| author | Lin Jen-Shin <godfat@godfat.org> | 2017-07-17 16:49:54 +0800 |
|---|---|---|
| committer | Lin Jen-Shin <godfat@godfat.org> | 2017-07-17 16:49:54 +0800 |
| commit | c82a642b51ad9a206e97072813b64479a0a6cd4c (patch) | |
| tree | 40b8b71650649efb4781840a6965a787f6b57227 | |
| parent | 5f32bd774ad5cb89685dab5102e0614b2593d4ff (diff) | |
| download | gitlab-ce-c82a642b51ad9a206e97072813b64479a0a6cd4c.tar.gz | |
Protect manual actions against protected tag too
| -rw-r--r-- | app/policies/ci/build_policy.rb | 7 | ||||
| -rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 25 |
2 files changed, 23 insertions, 9 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index a886efc1360..71ecb5bca8d 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -3,9 +3,10 @@ module Ci condition(:protected_action) do next false unless @subject.action? - !::Gitlab::UserAccess - .new(@user, project: @subject.project) - .can_merge_to_branch?(@subject.ref) + access = ::Gitlab::UserAccess.new(@user, project: @subject.project) + + !access.can_merge_to_branch?(@subject.ref) || + !access.can_create_tag?(@subject.ref) end rule { protected_action }.prevent :update_build diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index ace95ac7067..aa62e675d37 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -103,12 +103,7 @@ describe Ci::BuildPolicy, :models do project.add_developer(user) end - context 'when branch build is assigned to is protected' do - before do - create(:protected_branch, :no_one_can_push, - name: 'some-ref', project: project) - end - + shared_examples 'protected ref' do context 'when build is a manual action' do let(:build) do create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) @@ -130,6 +125,24 @@ describe Ci::BuildPolicy, :models do end end + context 'when build is against a protected branch' do + before do + create(:protected_branch, :no_one_can_push, + name: 'some-ref', project: project) + end + + it_behaves_like 'protected ref' + end + + context 'when build is against a protected tag' do + before do + create(:protected_tag, :no_one_can_create, + name: 'some-ref', project: project) + end + + it_behaves_like 'protected ref' + end + context 'when branch build is assigned to is not protected' do context 'when build is a manual action' do let(:build) { create(:ci_build, :manual, pipeline: pipeline) } |