Merge branch '34927-protect-manual-actions-on-tags' into 'master'

Protect manual actions against protected tag too

Closes #34927

See merge request !12908

3 files changed, 49 insertions, 9 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index a886efc1360..386822d3ff6 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -3,9 +3,13 @@ module Ci
     condition(:protected_action) do
       next false unless @subject.action?
 
-      !::Gitlab::UserAccess
-        .new(@user, project: @subject.project)
-        .can_merge_to_branch?(@subject.ref)
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      if @subject.tag?
+        !access.can_create_tag?(@subject.ref)
+      else
+        !access.can_merge_to_branch?(@subject.ref)
+      end
     end
 
     rule { protected_action }.prevent :update_build
diff --git a/changelogs/unreleased/34927-protect-manual-actions-on-tags.yml b/changelogs/unreleased/34927-protect-manual-actions-on-tags.yml
new file mode 100644
index 00000000000..d996ae2826a
--- /dev/null
+++ b/changelogs/unreleased/34927-protect-manual-actions-on-tags.yml
@@ -0,0 +1,4 @@
+---
+title: Protect manual actions against protected tag too
+merge_request: 12908
+author:
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index ace95ac7067..9f3212b1a63 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -103,12 +103,7 @@ describe Ci::BuildPolicy, :models do
         project.add_developer(user)
       end
 
-      context 'when branch build is assigned to is protected' do
-        before do
-          create(:protected_branch, :no_one_can_push,
-                 name: 'some-ref', project: project)
-        end
-
+      shared_examples 'protected ref' do
         context 'when build is a manual action' do
           let(:build) do
             create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
@@ -130,6 +125,43 @@ describe Ci::BuildPolicy, :models do
         end
       end
 
+      context 'when build is against a protected branch' do
+        before do
+          create(:protected_branch, :no_one_can_push,
+                 name: 'some-ref', project: project)
+        end
+
+        it_behaves_like 'protected ref'
+      end
+
+      context 'when build is against a protected tag' do
+        before do
+          create(:protected_tag, :no_one_can_create,
+                 name: 'some-ref', project: project)
+
+          build.update(tag: true)
+        end
+
+        it_behaves_like 'protected ref'
+      end
+
+      context 'when build is against a protected tag but it is not a tag' do
+        before do
+          create(:protected_tag, :no_one_can_create,
+                 name: 'some-ref', project: project)
+        end
+
+        context 'when build is a manual action' do
+          let(:build) do
+            create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
+          end
+
+          it 'includes ability to update build' do
+            expect(policy).to be_allowed :update_build
+          end
+        end
+      end
+
       context 'when branch build is assigned to is not protected' do
         context 'when build is a manual action' do
           let(:build) { create(:ci_build, :manual, pipeline: pipeline) }