summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/policies/ci/build_policy.rb2
-rw-r--r--app/policies/ci/pipeline_policy.rb10
-rw-r--r--app/services/ci/create_pipeline_service.rb2
-rw-r--r--lib/gitlab/user_access.rb2
4 files changed, 10 insertions, 6 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 00adb51e7de..00f18d0155b 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -6,7 +6,7 @@ module Ci
if @subject.tag?
!access.can_create_tag?(@subject.ref)
else
- !access.can_push_or_merge_to_branch?(@subject.ref)
+ !access.can_update_branch?(@subject.ref)
end
end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 8dba28b8d97..07d724c9cfd 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -3,9 +3,13 @@ module Ci
delegate { @subject.project }
condition(:user_cannot_update) do
- !::Gitlab::UserAccess
- .new(@user, project: @subject.project)
- .can_push_or_merge_to_branch?(@subject.ref)
+ access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+ if @subject.tag?
+ !access.can_create_tag?(@subject.ref)
+ else
+ !access.can_update_branch?(@subject.ref)
+ end
end
rule { user_cannot_update }.prevent :update_pipeline
diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb
index 8e2184a1f19..8b689968895 100644
--- a/app/services/ci/create_pipeline_service.rb
+++ b/app/services/ci/create_pipeline_service.rb
@@ -89,7 +89,7 @@ module Ci
Ability.allowed?(triggering_user, :create_pipeline, project) &&
if branch?
- access.can_push_or_merge_to_branch?(ref)
+ access.can_update_branch?(ref)
elsif tag?
access.can_create_tag?(ref)
else
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index c63b98500ee..25698bb8e99 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -54,7 +54,7 @@ module Gitlab
end
end
- def can_push_or_merge_to_branch?(ref)
+ def can_update_branch?(ref)
can_push_to_branch?(ref) || can_merge_to_branch?(ref)
end