From c82a642b51ad9a206e97072813b64479a0a6cd4c Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Mon, 17 Jul 2017 16:49:54 +0800
Subject: Protect manual actions against protected tag too

---
 spec/policies/ci/build_policy_spec.rb | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'spec/policies')

diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index ace95ac7067..aa62e675d37 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -103,12 +103,7 @@ describe Ci::BuildPolicy, :models do
         project.add_developer(user)
       end
 
-      context 'when branch build is assigned to is protected' do
-        before do
-          create(:protected_branch, :no_one_can_push,
-                 name: 'some-ref', project: project)
-        end
-
+      shared_examples 'protected ref' do
         context 'when build is a manual action' do
           let(:build) do
             create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
@@ -130,6 +125,24 @@ describe Ci::BuildPolicy, :models do
         end
       end
 
+      context 'when build is against a protected branch' do
+        before do
+          create(:protected_branch, :no_one_can_push,
+                 name: 'some-ref', project: project)
+        end
+
+        it_behaves_like 'protected ref'
+      end
+
+      context 'when build is against a protected tag' do
+        before do
+          create(:protected_tag, :no_one_can_create,
+                 name: 'some-ref', project: project)
+        end
+
+        it_behaves_like 'protected ref'
+      end
+
       context 'when branch build is assigned to is not protected' do
         context 'when build is a manual action' do
           let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
-- 
cgit v1.2.1


From 7426e616e859671622cea96755cb5b1e09fd9abe Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Tue, 18 Jul 2017 16:31:29 +0800
Subject: Make sure it checks against the tag only when it's a tag

---
 spec/policies/ci/build_policy_spec.rb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'spec/policies')

diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index aa62e675d37..9f3212b1a63 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -138,11 +138,30 @@ describe Ci::BuildPolicy, :models do
         before do
           create(:protected_tag, :no_one_can_create,
                  name: 'some-ref', project: project)
+
+          build.update(tag: true)
         end
 
         it_behaves_like 'protected ref'
       end
 
+      context 'when build is against a protected tag but it is not a tag' do
+        before do
+          create(:protected_tag, :no_one_can_create,
+                 name: 'some-ref', project: project)
+        end
+
+        context 'when build is a manual action' do
+          let(:build) do
+            create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
+          end
+
+          it 'includes ability to update build' do
+            expect(policy).to be_allowed :update_build
+          end
+        end
+      end
+
       context 'when branch build is assigned to is not protected' do
         context 'when build is a manual action' do
           let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
-- 
cgit v1.2.1