Create a play_pipeline_schedule policy and use it

1 files changed, 18 insertions, 0 deletions

diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb
index 6b7598e1821..8e7e129f135 100644
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -2,13 +2,31 @@ module Ci
   class PipelineSchedulePolicy < PipelinePolicy
     alias_method :pipeline_schedule, :subject
 
+    condition(:protected_ref) do
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      if @subject.project.repository.branch_exists?(@subject.ref)
+        access.can_update_branch?(@subject.ref)
+      elsif @subject.project.repository.tag_exists?(@subject.ref)
+        access.can_create_tag?(@subject.ref)
+      else
+        true
+      end
+    end
+
     condition(:owner_of_schedule) do
       can?(:developer_access) && pipeline_schedule.owned_by?(@user)
     end
 
+    rule { can?(:developer_access) }.policy do
+      enable :play_pipeline_schedule
+    end
+
     rule { can?(:master_access) | owner_of_schedule }.policy do
       enable :update_pipeline_schedule
       enable :admin_pipeline_schedule
     end
+
+    rule { protected_ref }.prevent :play_pipeline_schedule
   end
 end