Merge branch '34927-protect-manual-actions-on-tags' into 'master'

Protect manual actions against protected tag too Closes #34927 See merge request !12908
author: Grzegorz Bizon <grzegorz@gitlab.com> 2017-07-18 10:52:17 +0000
committer: Grzegorz Bizon <grzegorz@gitlab.com> 2017-07-18 10:52:17 +0000
commit: f48264555563a906472795bc9fbccd09be4b6a47 (patch)
tree: f3d3716df513096bacf35f6823b097c5f0377d2f /app
parent: 786879e3724284ff6f955cedab1edaa51e00bdd0 (diff)
parent: 7426e616e859671622cea96755cb5b1e09fd9abe (diff)
download: gitlab-ce-f48264555563a906472795bc9fbccd09be4b6a47.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index a886efc1360..386822d3ff6 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -3,9 +3,13 @@ module Ci
     condition(:protected_action) do
       next false unless @subject.action?
 
-      !::Gitlab::UserAccess
-        .new(@user, project: @subject.project)
-        .can_merge_to_branch?(@subject.ref)
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      if @subject.tag?
+        !access.can_create_tag?(@subject.ref)
+      else
+        !access.can_merge_to_branch?(@subject.ref)
+      end
     end
 
     rule { protected_action }.prevent :update_build
author	Grzegorz Bizon <grzegorz@gitlab.com>	2017-07-18 10:52:17 +0000
committer	Grzegorz Bizon <grzegorz@gitlab.com>	2017-07-18 10:52:17 +0000
commit	f48264555563a906472795bc9fbccd09be4b6a47 (patch)
tree	f3d3716df513096bacf35f6823b097c5f0377d2f /app
parent	786879e3724284ff6f955cedab1edaa51e00bdd0 (diff)
parent	7426e616e859671622cea96755cb5b1e09fd9abe (diff)
download	gitlab-ce-f48264555563a906472795bc9fbccd09be4b6a47.tar.gz