Avoid enabling locked runners. Give 403 in this case

2 files changed, 3 insertions, 0 deletions

diff --git a/app/controllers/admin/runner_projects_controller.rb b/app/controllers/admin/runner_projects_controller.rb
index d25619d94e0..29307aeab6d 100644
--- a/app/controllers/admin/runner_projects_controller.rb
+++ b/app/controllers/admin/runner_projects_controller.rb
@@ -9,6 +9,8 @@ class Admin::RunnerProjectsController < Admin::ApplicationController
   def create
     @runner = Ci::Runner.find(params[:runner_project][:runner_id])
 
+    return head(403) if runner.is_shared? || runner.is_locked?
+
     if @runner.assign_to(@project, current_user)
       redirect_to admin_runner_path(@runner)
     else
diff --git a/app/controllers/projects/runner_projects_controller.rb b/app/controllers/projects/runner_projects_controller.rb
index bedeb4a295c..4c013303269 100644
--- a/app/controllers/projects/runner_projects_controller.rb
+++ b/app/controllers/projects/runner_projects_controller.rb
@@ -6,6 +6,7 @@ class Projects::RunnerProjectsController < Projects::ApplicationController
   def create
     @runner = Ci::Runner.find(params[:runner_project][:runner_id])
 
+    return head(403) if runner.is_shared? || runner.is_locked?
     return head(403) unless current_user.ci_authorized_runners.include?(@runner)
 
     path = runners_path(project)