diff options
author | Lin Jen-Shin <godfat@godfat.org> | 2017-07-04 05:15:27 +0800 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2017-07-04 05:15:27 +0800 |
commit | 39573c6dde39de2345f100586c2c10f74187f6c1 (patch) | |
tree | b98c5d4b2e211397450dad6009bf97584f772ce5 /app/policies/ci | |
parent | 23bfd8c13c803f4efdb9eaf8e6e3c1ffd17640e8 (diff) | |
parent | 049d4baed0f3532359feb729c5f0938d3d4518ef (diff) | |
download | gitlab-ce-39573c6dde39de2345f100586c2c10f74187f6c1.tar.gz |
Merge remote-tracking branch 'upstream/master' into 30634-protected-pipeline
* upstream/master: (119 commits)
Speed up operations performed by gitlab-shell
Change the force flag to a keyword argument
add image - issue boards - moving card
copyedit == ee !2296
Reset @full_path to nil when cache expires
Replace existing runner links with icons and tooltips, move into btn-group.
add margin between captcha and register button
Eagerly create a milestone that is used in a feature spec
Adjust readme repo width
Resolve "Issue Board -> "Remove from board" button when viewing an issue gives js error and fails"
Set force_remove_source_branch default to false.
Fix rubocop offenses
Make entrypoint and command keys to be array of strings
Add issuable-list class to shared mr/issue lists to fix new responsive layout
New navigation breadcrumbs
Restore timeago translations in renderTimeago.
Fix curl example paths (missing the 'files' segment)
Automatically hide sidebar on smaller screens
Fix typo in IssuesFinder comment
Make Project#ensure_repository force create a repo
...
Diffstat (limited to 'app/policies/ci')
-rw-r--r-- | app/policies/ci/build_policy.rb | 29 | ||||
-rw-r--r-- | app/policies/ci/pipeline_policy.rb | 23 | ||||
-rw-r--r-- | app/policies/ci/runner_policy.rb | 15 | ||||
-rw-r--r-- | app/policies/ci/trigger_policy.rb | 21 |
4 files changed, 32 insertions, 56 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 85245528602..129ed756477 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,30 +1,11 @@ module Ci class BuildPolicy < CommitStatusPolicy - alias_method :build, :subject - - def rules - super - - # If we can't read build we should also not have that - # ability when looking at this in context of commit_status - %w[read create update admin].each do |rule| - cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" - end - - if can?(:update_build) && !can_user_update? - cannot! :update_build - end + condition(:user_cannot_update) do + !::Gitlab::UserAccess + .new(@user, project: @subject.project) + .can_push_or_merge_to_branch?(@subject.ref) end - private - - def can_user_update? - user_access.can_push_or_merge_to_branch?(build.ref) - end - - def user_access - @user_access ||= ::Gitlab::UserAccess - .new(user, project: build.project) - end + rule { user_cannot_update }.prevent :update_build end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index e71cc358353..73b5a40c7fc 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -1,24 +1,13 @@ module Ci class PipelinePolicy < BasePolicy - alias_method :pipeline, :subject + delegate { pipeline.project } - def rules - delegate! pipeline.project - - if can?(:update_pipeline) && !can_user_update? - cannot! :update_pipeline - end + condition(:user_cannot_update) do + !::Gitlab::UserAccess + .new(@user, project: @subject.project) + .can_push_or_merge_to_branch?(@subject.ref) end - private - - def can_user_update? - user_access.can_push_or_merge_to_branch?(pipeline.ref) - end - - def user_access - @user_access ||= ::Gitlab::UserAccess - .new(user, project: pipeline.project) - end + rule { user_cannot_update }.prevent :update_pipeline end end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 416d93ffe63..7dff8470e23 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -1,13 +1,16 @@ module Ci class RunnerPolicy < BasePolicy - def rules - return unless @user + with_options scope: :subject, score: 0 + condition(:shared) { @subject.is_shared? } - can! :assign_runner if @user.admin? + with_options scope: :subject, score: 0 + condition(:locked, scope: :subject) { @subject.locked? } - return if @subject.is_shared? || @subject.locked? + condition(:authorized_runner) { @user.ci_authorized_runners.include?(@subject) } - can! :assign_runner if @user.ci_authorized_runners.include?(@subject) - end + rule { anonymous }.prevent_all + rule { admin | authorized_runner }.enable :assign_runner + rule { ~admin & shared }.prevent :assign_runner + rule { ~admin & locked }.prevent :assign_runner end end diff --git a/app/policies/ci/trigger_policy.rb b/app/policies/ci/trigger_policy.rb index c90c9ac0583..5592ac30812 100644 --- a/app/policies/ci/trigger_policy.rb +++ b/app/policies/ci/trigger_policy.rb @@ -1,13 +1,16 @@ module Ci class TriggerPolicy < BasePolicy - def rules - delegate! @subject.project - - if can?(:admin_build) - can! :admin_trigger if @subject.owner.blank? || - @subject.owner == @user - can! :manage_trigger - end - end + delegate { @subject.project } + + with_options scope: :subject, score: 0 + condition(:legacy) { @subject.legacy? } + + with_score 0 + condition(:is_owner) { @user && @subject.owner_id == @user.id } + + rule { ~can?(:admin_build) }.prevent :admin_trigger + rule { legacy | is_owner }.enable :admin_trigger + + rule { can?(:admin_build) }.enable :manage_trigger end end |