summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/projects/pipeline_schedules_controller.rb2
-rw-r--r--app/policies/ci/pipeline_schedule_policy.rb22
2 files changed, 8 insertions, 16 deletions
diff --git a/app/controllers/projects/pipeline_schedules_controller.rb b/app/controllers/projects/pipeline_schedules_controller.rb
index 2ee6229cf68..3f395bd9cea 100644
--- a/app/controllers/projects/pipeline_schedules_controller.rb
+++ b/app/controllers/projects/pipeline_schedules_controller.rb
@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
end
def update
+ return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
+
if Ci::CreatePipelineScheduleService
.new(@project, current_user, schedule_params).update(schedule)
redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project)
diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb
index db561dafbd3..2506c179157 100644
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -2,24 +2,14 @@ module Ci
class PipelineSchedulePolicy < PipelinePolicy
alias_method :pipeline_schedule, :subject
- condition(:protected_action) do
- owned_by_developer? && owned_by_another?
- end
-
- rule { protected_action }.prevent :update_pipeline_schedule
-
- private
-
- def owned_by_developer?
- return false unless @user
-
- pipeline_schedule.project.team.developer?(@user)
- end
+ def rules
+ super
- def owned_by_another?
- return false unless @user
+ access = pipeline_schedule.project.team.max_member_access(user.id)
- !pipeline_schedule.owned_by?(@user)
+ if access == Gitlab::Access::DEVELOPER && pipeline_schedule.owner != user
+ cannot! :update_pipeline_schedule
+ end
end
end
end
View Lorry Controller Status