summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorLin Jen-Shin <godfat@godfat.org>2017-07-04 05:01:05 +0800
committerLin Jen-Shin <godfat@godfat.org>2017-07-04 05:01:05 +0800
commit23bfd8c13c803f4efdb9eaf8e6e3c1ffd17640e8 (patch)
tree03db93cdd953b49d28fbe62da4655dcb0c23af04 /app/policies
parent24a1f0d833941a30b91813f36d184d3e7c3f7425 (diff)
downloadgitlab-ce-23bfd8c13c803f4efdb9eaf8e6e3c1ffd17640e8.tar.gz
Consistently check permission for creating pipelines,
updating builds and updating pipelines. We check against being able to merge or push if the ref is protected.
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/ci/build_policy.rb11
-rw-r--r--app/policies/ci/pipeline_policy.rb19
2 files changed, 24 insertions, 6 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 2d7405dc240..85245528602 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -11,19 +11,20 @@ module Ci
cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
end
- if can?(:update_build) && protected_action?
+ if can?(:update_build) && !can_user_update?
cannot! :update_build
end
end
private
- def protected_action?
- return false unless build.action?
+ def can_user_update?
+ user_access.can_push_or_merge_to_branch?(build.ref)
+ end
- !::Gitlab::UserAccess
+ def user_access
+ @user_access ||= ::Gitlab::UserAccess
.new(user, project: build.project)
- .can_merge_to_branch?(build.ref)
end
end
end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 10aa2d3e72a..e71cc358353 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,7 +1,24 @@
module Ci
class PipelinePolicy < BasePolicy
+ alias_method :pipeline, :subject
+
def rules
- delegate! @subject.project
+ delegate! pipeline.project
+
+ if can?(:update_pipeline) && !can_user_update?
+ cannot! :update_pipeline
+ end
+ end
+
+ private
+
+ def can_user_update?
+ user_access.can_push_or_merge_to_branch?(pipeline.ref)
+ end
+
+ def user_access
+ @user_access ||= ::Gitlab::UserAccess
+ .new(user, project: pipeline.project)
end
end
end