diff options
-rw-r--r-- | app/policies/ci/build_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/ci/pipeline_policy.rb | 10 | ||||
-rw-r--r-- | app/services/ci/create_pipeline_service.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/user_access.rb | 2 |
4 files changed, 10 insertions, 6 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 00adb51e7de..00f18d0155b 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -6,7 +6,7 @@ module Ci if @subject.tag? !access.can_create_tag?(@subject.ref) else - !access.can_push_or_merge_to_branch?(@subject.ref) + !access.can_update_branch?(@subject.ref) end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index 8dba28b8d97..07d724c9cfd 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -3,9 +3,13 @@ module Ci delegate { @subject.project } condition(:user_cannot_update) do - !::Gitlab::UserAccess - .new(@user, project: @subject.project) - .can_push_or_merge_to_branch?(@subject.ref) + access = ::Gitlab::UserAccess.new(@user, project: @subject.project) + + if @subject.tag? + !access.can_create_tag?(@subject.ref) + else + !access.can_update_branch?(@subject.ref) + end end rule { user_cannot_update }.prevent :update_pipeline diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb index 8e2184a1f19..8b689968895 100644 --- a/app/services/ci/create_pipeline_service.rb +++ b/app/services/ci/create_pipeline_service.rb @@ -89,7 +89,7 @@ module Ci Ability.allowed?(triggering_user, :create_pipeline, project) && if branch? - access.can_push_or_merge_to_branch?(ref) + access.can_update_branch?(ref) elsif tag? access.can_create_tag?(ref) else diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index c63b98500ee..25698bb8e99 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -54,7 +54,7 @@ module Gitlab end end - def can_push_or_merge_to_branch?(ref) + def can_update_branch?(ref) can_push_to_branch?(ref) || can_merge_to_branch?(ref) end |