Protect manual actions against protected tag too

author: Lin Jen-Shin <godfat@godfat.org> 2017-07-17 16:49:54 +0800
committer: Lin Jen-Shin <godfat@godfat.org> 2017-07-17 16:49:54 +0800
commit: c82a642b51ad9a206e97072813b64479a0a6cd4c (patch)
tree: 40b8b71650649efb4781840a6965a787f6b57227 /app/policies
parent: 5f32bd774ad5cb89685dab5102e0614b2593d4ff (diff)
download: gitlab-ce-c82a642b51ad9a206e97072813b64479a0a6cd4c.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index a886efc1360..71ecb5bca8d 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -3,9 +3,10 @@ module Ci
     condition(:protected_action) do
       next false unless @subject.action?
 
-      !::Gitlab::UserAccess
-        .new(@user, project: @subject.project)
-        .can_merge_to_branch?(@subject.ref)
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      !access.can_merge_to_branch?(@subject.ref) ||
+        !access.can_create_tag?(@subject.ref)
     end
 
     rule { protected_action }.prevent :update_build
author	Lin Jen-Shin <godfat@godfat.org>	2017-07-17 16:49:54 +0800
committer	Lin Jen-Shin <godfat@godfat.org>	2017-07-17 16:49:54 +0800
commit	c82a642b51ad9a206e97072813b64479a0a6cd4c (patch)
tree	40b8b71650649efb4781840a6965a787f6b57227 /app/policies
parent	5f32bd774ad5cb89685dab5102e0614b2593d4ff (diff)
download	gitlab-ce-c82a642b51ad9a206e97072813b64479a0a6cd4c.tar.gz