diff options
Diffstat (limited to 'app/policies/ci/build_policy.rb')
-rw-r--r-- | app/policies/ci/build_policy.rb | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 8b25332b73c..386822d3ff6 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,13 +1,17 @@ module Ci class BuildPolicy < CommitStatusPolicy - def rules - super + condition(:protected_action) do + next false unless @subject.action? - # If we can't read build we should also not have that - # ability when looking at this in context of commit_status - %w[read create update admin].each do |rule| - cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" + access = ::Gitlab::UserAccess.new(@user, project: @subject.project) + + if @subject.tag? + !access.can_create_tag?(@subject.ref) + else + !access.can_merge_to_branch?(@subject.ref) end end + + rule { protected_action }.prevent :update_build end end |