diff options
Diffstat (limited to 'app/policies/ci')
-rw-r--r-- | app/policies/ci/build_policy.rb | 16 | ||||
-rw-r--r-- | app/policies/ci/pipeline_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/ci/pipeline_schedule_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/ci/runner_policy.rb | 2 |
4 files changed, 25 insertions, 2 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 8b25332b73c..d4af4490608 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -1,5 +1,7 @@ module Ci class BuildPolicy < CommitStatusPolicy + alias_method :build, :subject + def rules super @@ -8,6 +10,20 @@ module Ci %w[read create update admin].each do |rule| cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" end + + if can?(:update_build) && protected_action? + cannot! :update_build + end + end + + private + + def protected_action? + return false unless build.action? + + !::Gitlab::UserAccess + .new(user, project: build.project) + .can_push_to_branch?(build.ref) end end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index 3d2eef1c50c..10aa2d3e72a 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -1,4 +1,7 @@ module Ci - class PipelinePolicy < BuildPolicy + class PipelinePolicy < BasePolicy + def rules + delegate! @subject.project + end end end diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb new file mode 100644 index 00000000000..1877e89bb23 --- /dev/null +++ b/app/policies/ci/pipeline_schedule_policy.rb @@ -0,0 +1,4 @@ +module Ci + class PipelineSchedulePolicy < PipelinePolicy + end +end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 7edd383530d..416d93ffe63 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -3,7 +3,7 @@ module Ci def rules return unless @user - can! :assign_runner if @user.is_admin? + can! :assign_runner if @user.admin? return if @subject.is_shared? || @subject.locked? |