From 6e8ea52be6f75c99556ee4615f6213d991969bfd Mon Sep 17 00:00:00 2001
From: Shinya Maeda <shinya@gitlab.com>
Date: Mon, 26 Jun 2017 18:25:08 +0900
Subject: Add functionality and security.

---
 app/policies/ci/pipeline_schedule_policy.rb | 22 ++++++----------------
 1 file changed, 6 insertions(+), 16 deletions(-)

(limited to 'app/policies/ci')

diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb
index db561dafbd3..2506c179157 100644
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -2,24 +2,14 @@ module Ci
   class PipelineSchedulePolicy < PipelinePolicy
     alias_method :pipeline_schedule, :subject
 
-    condition(:protected_action) do
-      owned_by_developer? && owned_by_another?
-    end
-
-    rule { protected_action }.prevent :update_pipeline_schedule
-
-    private
-
-    def owned_by_developer?
-      return false unless @user
-
-      pipeline_schedule.project.team.developer?(@user)
-    end
+    def rules
+      super
 
-    def owned_by_another?
-      return false unless @user
+      access = pipeline_schedule.project.team.max_member_access(user.id)
 
-      !pipeline_schedule.owned_by?(@user)
+      if access == Gitlab::Access::DEVELOPER && pipeline_schedule.owner != user
+        cannot! :update_pipeline_schedule
+      end
     end
   end
 end
-- 
cgit v1.2.1