diff options
| author | Kamil Trzciński <ayufan@ayufan.eu> | 2017-07-25 15:04:23 +0000 |
|---|---|---|
| committer | Kamil Trzciński <ayufan@ayufan.eu> | 2017-07-25 15:04:23 +0000 |
| commit | ac948684fc9f4ded80a028ad2136cfbff90a4b45 (patch) | |
| tree | fe4d625514c702b1b66c5575deefd1ce4d5bc0ba /app/policies | |
| parent | 3f59e354a7324e9bf332a34661743d85e82b987c (diff) | |
| parent | 8a444484345806dcbc0312d770b185edde1edb67 (diff) | |
| download | gitlab-ce-ac948684fc9f4ded80a028ad2136cfbff90a4b45.tar.gz | |
Merge branch '30634-protected-pipeline' into 'master'
Implement "Block pipelines on protected branches"
Closes #30634, #34616, and #33130
See merge request !11910
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/ci/build_policy.rb | 8 | ||||
| -rw-r--r-- | app/policies/ci/pipeline_policy.rb | 12 |
2 files changed, 15 insertions, 5 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 386822d3ff6..984e5482288 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,17 +1,15 @@ module Ci class BuildPolicy < CommitStatusPolicy - condition(:protected_action) do - next false unless @subject.action? - + condition(:protected_ref) do access = ::Gitlab::UserAccess.new(@user, project: @subject.project) if @subject.tag? !access.can_create_tag?(@subject.ref) else - !access.can_merge_to_branch?(@subject.ref) + !access.can_update_branch?(@subject.ref) end end - rule { protected_action }.prevent :update_build + rule { protected_ref }.prevent :update_build end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index a2dde95dbc8..4e689a9efd5 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -1,5 +1,17 @@ module Ci class PipelinePolicy < BasePolicy delegate { @subject.project } + + condition(:protected_ref) do + access = ::Gitlab::UserAccess.new(@user, project: @subject.project) + + if @subject.tag? + !access.can_create_tag?(@subject.ref) + else + !access.can_update_branch?(@subject.ref) + end + end + + rule { protected_ref }.prevent :update_pipeline end end |