Add new permission model `read-pipeline-variable`

Used to get the variables via the API endpoint
`/projects/:id/pipelines/:pipeline_id/variables`

Signed-off-by: Agustin Henze <tin@redhat.com>

2 files changed, 16 insertions, 0 deletions

diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index 01d96754518..b81a3cf8362 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -750,6 +750,10 @@ module Ci
       self.sha == sha || self.source_sha == sha
     end
 
+    def triggered_by?(current_user)
+      user == current_user
+    end
+
     private
 
     def ci_yaml_from_repo
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 2c90b8a73cd..662c29a0973 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -14,6 +14,10 @@ module Ci
       @subject.external?
     end
 
+    condition(:triggerer_of_pipeline) do
+      @subject.triggered_by?(@user)
+    end
+
     # Disallow users without permissions from accessing internal pipelines
     rule { ~can?(:read_build) & ~external_pipeline }.policy do
       prevent :read_pipeline
@@ -29,6 +33,14 @@ module Ci
       enable :destroy_pipeline
     end
 
+    rule { can?(:admin_pipeline) }.policy do
+      enable :read_pipeline_variable
+    end
+
+    rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do
+      enable :read_pipeline_variable
+    end
+
     def ref_protected?(user, project, tag, ref)
       access = ::Gitlab::UserAccess.new(user, project: project)