From 0bc14b452218277a55f71ab22bed724b696ecf28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matija=20=C4=8Cupi=C4=87?= <matteeyah@gmail.com>
Date: Tue, 13 Nov 2018 17:17:01 +0100
Subject: Authorize DestroyPipelineService against pipeline

---
 app/policies/ci/pipeline_policy.rb          |  4 ++++
 app/policies/project_policy.rb              |  1 -
 app/services/ci/destroy_pipeline_service.rb |  4 ++--
 lib/api/pipelines.rb                        |  2 +-
 spec/policies/ci/pipeline_policy_spec.rb    | 18 ++++++++++++++++++
 5 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index f9623587957..e42d78f47c5 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -16,6 +16,10 @@ module Ci
       enable :update_pipeline
     end
 
+    rule { can?(:owner_access) }.policy do
+      enable :destroy_pipeline
+    end
+
     def ref_protected?(user, project, tag, ref)
       access = ::Gitlab::UserAccess.new(user, project: project)
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 221826121da..1c082945299 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -144,7 +144,6 @@ class ProjectPolicy < BasePolicy
     enable :destroy_merge_request
     enable :destroy_issue
     enable :remove_pages
-    enable :destroy_pipeline
 
     enable :set_issue_iid
     enable :set_issue_created_at
diff --git a/app/services/ci/destroy_pipeline_service.rb b/app/services/ci/destroy_pipeline_service.rb
index 059e871f20e..f40e73b3efb 100644
--- a/app/services/ci/destroy_pipeline_service.rb
+++ b/app/services/ci/destroy_pipeline_service.rb
@@ -3,11 +3,11 @@
 module Ci
   class DestroyPipelineService < BaseService
     def execute(pipeline)
-      return false unless can?(current_user, :destroy_pipeline, project)
+      return false unless can?(current_user, :destroy_pipeline, pipeline)
 
       AuditEventService.new(current_user, pipeline).security_event
 
-      pipeline.destroy
+      pipeline.destroy!
     end
   end
 end
diff --git a/lib/api/pipelines.rb b/lib/api/pipelines.rb
index 39d693bb9e9..cba1e3a6684 100644
--- a/lib/api/pipelines.rb
+++ b/lib/api/pipelines.rb
@@ -89,7 +89,7 @@ module API
         requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
       end
       delete ':id/pipelines/:pipeline_id' do
-        authorize! :destroy_pipeline, user_project
+        authorize! :destroy_pipeline, pipeline
 
         destroy_conditionally!(pipeline) do
           ::Ci::DestroyPipelineService.new(user_project, current_user).execute(pipeline)
diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb
index bd32faf06ef..8022f61e67d 100644
--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -74,5 +74,23 @@ describe Ci::PipelinePolicy, :models do
         expect(policy).to be_allowed :update_pipeline
       end
     end
+
+    describe 'destroy_pipeline' do
+      let(:project) { create(:project, :public) }
+
+      context 'when user has owner access' do
+        let(:user) { project.owner }
+
+        it 'is enabled' do
+          expect(policy).to be_allowed :destroy_pipeline
+        end
+      end
+
+      context 'when user is not owner' do
+        it 'is disabled' do
+          expect(policy).not_to be_allowed :destroy_pipeline
+        end
+      end
+    end
   end
 end
-- 
cgit v1.2.1