Consistently check permission for creating pipelines,

updating builds and updating pipelines. We check against
being able to merge or push if the ref is protected.

2 files changed, 24 insertions, 6 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 2d7405dc240..85245528602 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -11,19 +11,20 @@ module Ci
         cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
       end
 
-      if can?(:update_build) && protected_action?
+      if can?(:update_build) && !can_user_update?
         cannot! :update_build
       end
     end
 
     private
 
-    def protected_action?
-      return false unless build.action?
+    def can_user_update?
+      user_access.can_push_or_merge_to_branch?(build.ref)
+    end
 
-      !::Gitlab::UserAccess
+    def user_access
+      @user_access ||= ::Gitlab::UserAccess
         .new(user, project: build.project)
-        .can_merge_to_branch?(build.ref)
     end
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 10aa2d3e72a..e71cc358353 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,7 +1,24 @@
 module Ci
   class PipelinePolicy < BasePolicy
+    alias_method :pipeline, :subject
+
     def rules
-      delegate! @subject.project
+      delegate! pipeline.project
+
+      if can?(:update_pipeline) && !can_user_update?
+        cannot! :update_pipeline
+      end
+    end
+
+    private
+
+    def can_user_update?
+      user_access.can_push_or_merge_to_branch?(pipeline.ref)
+    end
+
+    def user_access
+      @user_access ||= ::Gitlab::UserAccess
+        .new(user, project: pipeline.project)
     end
   end
 end