diff options
| author | Stan Hu <stanhu@gmail.com> | 2017-08-02 16:58:28 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2017-08-02 16:58:28 -0700 |
| commit | 408df2edcbd5f3f93ef5541bac9de2b71ba4f0ea (patch) | |
| tree | 708ae61f9683b48f436f7577d1fad98f30e100fc /app/policies/ci/build_policy.rb | |
| parent | 3f81586ef0ab20533b8da1213bd9f60e1786dbaa (diff) | |
| parent | faa2a123911eaf84bb57163ea7af759d4632601b (diff) | |
| download | gitlab-ce-408df2edcbd5f3f93ef5541bac9de2b71ba4f0ea.tar.gz | |
Merge branch 'master' into sh-headless-chrome-support
Diffstat (limited to 'app/policies/ci/build_policy.rb')
| -rw-r--r-- | app/policies/ci/build_policy.rb | 28 |
1 files changed, 7 insertions, 21 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 2d7405dc240..984e5482288 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,29 +1,15 @@ module Ci class BuildPolicy < CommitStatusPolicy - alias_method :build, :subject + condition(:protected_ref) do + access = ::Gitlab::UserAccess.new(@user, project: @subject.project) - def rules - super - - # If we can't read build we should also not have that - # ability when looking at this in context of commit_status - %w[read create update admin].each do |rule| - cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" - end - - if can?(:update_build) && protected_action? - cannot! :update_build + if @subject.tag? + !access.can_create_tag?(@subject.ref) + else + !access.can_update_branch?(@subject.ref) end end - private - - def protected_action? - return false unless build.action? - - !::Gitlab::UserAccess - .new(user, project: build.project) - .can_merge_to_branch?(build.ref) - end + rule { protected_ref }.prevent :update_build end end |