Commit 0bc14b45 authored by Matija Čupić's avatar Matija Čupić

Authorize DestroyPipelineService against pipeline

parent 6173d463
......@@ -16,6 +16,10 @@ module Ci
enable :update_pipeline
end
rule { can?(:owner_access) }.policy do
enable :destroy_pipeline
end
def ref_protected?(user, project, tag, ref)
access = ::Gitlab::UserAccess.new(user, project: project)
......
......@@ -144,7 +144,6 @@ class ProjectPolicy < BasePolicy
enable :destroy_merge_request
enable :destroy_issue
enable :remove_pages
enable :destroy_pipeline
enable :set_issue_iid
enable :set_issue_created_at
......
......@@ -3,11 +3,11 @@
module Ci
class DestroyPipelineService < BaseService
def execute(pipeline)
return false unless can?(current_user, :destroy_pipeline, project)
return false unless can?(current_user, :destroy_pipeline, pipeline)
AuditEventService.new(current_user, pipeline).security_event
pipeline.destroy
pipeline.destroy!
end
end
end
......@@ -89,7 +89,7 @@ module API
requires :pipeline_id, type: Integer, desc: 'The pipeline ID'
end
delete ':id/pipelines/:pipeline_id' do
authorize! :destroy_pipeline, user_project
authorize! :destroy_pipeline, pipeline
destroy_conditionally!(pipeline) do
::Ci::DestroyPipelineService.new(user_project, current_user).execute(pipeline)
......
......@@ -74,5 +74,23 @@ describe Ci::PipelinePolicy, :models do
expect(policy).to be_allowed :update_pipeline
end
end
describe 'destroy_pipeline' do
let(:project) { create(:project, :public) }
context 'when user has owner access' do
let(:user) { project.owner }
it 'is enabled' do
expect(policy).to be_allowed :destroy_pipeline
end
end
context 'when user is not owner' do
it 'is disabled' do
expect(policy).not_to be_allowed :destroy_pipeline
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment