diff options
Diffstat (limited to 'app/controllers/groups/runners_controller.rb')
-rw-r--r-- | app/controllers/groups/runners_controller.rb | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/app/controllers/groups/runners_controller.rb b/app/controllers/groups/runners_controller.rb index 652f12e34ba..18b055b3f05 100644 --- a/app/controllers/groups/runners_controller.rb +++ b/app/controllers/groups/runners_controller.rb @@ -2,13 +2,9 @@ class Groups::RunnersController < Groups::ApplicationController before_action :authorize_read_group_runners!, only: [:index, :show] - before_action :authorize_admin_group_runners!, only: [:edit, :update, :destroy, :pause, :resume] + before_action :authorize_update_runner!, only: [:edit, :update, :destroy, :pause, :resume] before_action :runner, only: [:edit, :update, :destroy, :pause, :resume, :show] - before_action only: [:show] do - push_frontend_feature_flag(:enforce_runner_token_expires_at) - end - feature_category :runner urgency :low @@ -37,7 +33,9 @@ class Groups::RunnersController < Groups::ApplicationController private def runner - @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: { group: @group }).execute + group_params = { group: @group, membership: :all_available } + + @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: group_params).execute .except(:limit, :offset) .find(params[:id]) end @@ -45,6 +43,12 @@ class Groups::RunnersController < Groups::ApplicationController def runner_params params.require(:runner).permit(Ci::Runner::FORM_EDITABLE) end + + def authorize_update_runner! + return if can?(current_user, :admin_group_runners, group) && can?(current_user, :update_runner, runner) + + render_404 + end end Groups::RunnersController.prepend_mod |