Authorize DestroyPipelineService against pipeline

3 files changed, 6 insertions, 3 deletions

diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index f9623587957..e42d78f47c5 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -16,6 +16,10 @@ module Ci
       enable :update_pipeline
     end
 
+    rule { can?(:owner_access) }.policy do
+      enable :destroy_pipeline
+    end
+
     def ref_protected?(user, project, tag, ref)
       access = ::Gitlab::UserAccess.new(user, project: project)
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 221826121da..1c082945299 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -144,7 +144,6 @@ class ProjectPolicy < BasePolicy
     enable :destroy_merge_request
     enable :destroy_issue
     enable :remove_pages
-    enable :destroy_pipeline
 
     enable :set_issue_iid
     enable :set_issue_created_at
diff --git a/app/services/ci/destroy_pipeline_service.rb b/app/services/ci/destroy_pipeline_service.rb
index 059e871f20e..f40e73b3efb 100644
--- a/app/services/ci/destroy_pipeline_service.rb
+++ b/app/services/ci/destroy_pipeline_service.rb
@@ -3,11 +3,11 @@
 module Ci
   class DestroyPipelineService < BaseService
     def execute(pipeline)
-      return false unless can?(current_user, :destroy_pipeline, project)
+      return false unless can?(current_user, :destroy_pipeline, pipeline)
 
       AuditEventService.new(current_user, pipeline).security_event
 
-      pipeline.destroy
+      pipeline.destroy!
     end
   end
 end