diff options
author | Matija Čupić <matteeyah@gmail.com> | 2018-11-13 17:17:01 +0100 |
---|---|---|
committer | Matija Čupić <matteeyah@gmail.com> | 2018-11-13 17:24:10 +0100 |
commit | 0bc14b452218277a55f71ab22bed724b696ecf28 (patch) | |
tree | e40bfff5efb59240cac45ac07906b3fccaf76291 | |
parent | 6173d4639a388f59872291657a2528256c90a846 (diff) | |
download | gitlab-ce-0bc14b452218277a55f71ab22bed724b696ecf28.tar.gz |
Authorize DestroyPipelineService against pipeline
-rw-r--r-- | app/policies/ci/pipeline_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 1 | ||||
-rw-r--r-- | app/services/ci/destroy_pipeline_service.rb | 4 | ||||
-rw-r--r-- | lib/api/pipelines.rb | 2 | ||||
-rw-r--r-- | spec/policies/ci/pipeline_policy_spec.rb | 18 |
5 files changed, 25 insertions, 4 deletions
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index f9623587957..e42d78f47c5 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -16,6 +16,10 @@ module Ci enable :update_pipeline end + rule { can?(:owner_access) }.policy do + enable :destroy_pipeline + end + def ref_protected?(user, project, tag, ref) access = ::Gitlab::UserAccess.new(user, project: project) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 221826121da..1c082945299 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -144,7 +144,6 @@ class ProjectPolicy < BasePolicy enable :destroy_merge_request enable :destroy_issue enable :remove_pages - enable :destroy_pipeline enable :set_issue_iid enable :set_issue_created_at diff --git a/app/services/ci/destroy_pipeline_service.rb b/app/services/ci/destroy_pipeline_service.rb index 059e871f20e..f40e73b3efb 100644 --- a/app/services/ci/destroy_pipeline_service.rb +++ b/app/services/ci/destroy_pipeline_service.rb @@ -3,11 +3,11 @@ module Ci class DestroyPipelineService < BaseService def execute(pipeline) - return false unless can?(current_user, :destroy_pipeline, project) + return false unless can?(current_user, :destroy_pipeline, pipeline) AuditEventService.new(current_user, pipeline).security_event - pipeline.destroy + pipeline.destroy! end end end diff --git a/lib/api/pipelines.rb b/lib/api/pipelines.rb index 39d693bb9e9..cba1e3a6684 100644 --- a/lib/api/pipelines.rb +++ b/lib/api/pipelines.rb @@ -89,7 +89,7 @@ module API requires :pipeline_id, type: Integer, desc: 'The pipeline ID' end delete ':id/pipelines/:pipeline_id' do - authorize! :destroy_pipeline, user_project + authorize! :destroy_pipeline, pipeline destroy_conditionally!(pipeline) do ::Ci::DestroyPipelineService.new(user_project, current_user).execute(pipeline) diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb index bd32faf06ef..8022f61e67d 100644 --- a/spec/policies/ci/pipeline_policy_spec.rb +++ b/spec/policies/ci/pipeline_policy_spec.rb @@ -74,5 +74,23 @@ describe Ci::PipelinePolicy, :models do expect(policy).to be_allowed :update_pipeline end end + + describe 'destroy_pipeline' do + let(:project) { create(:project, :public) } + + context 'when user has owner access' do + let(:user) { project.owner } + + it 'is enabled' do + expect(policy).to be_allowed :destroy_pipeline + end + end + + context 'when user is not owner' do + it 'is disabled' do + expect(policy).not_to be_allowed :destroy_pipeline + end + end + end end end |