Commit c3d897a9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Properly handle commit status permissions (for a build)

parent e80c79e3
......@@ -5,6 +5,12 @@ class Ability
return [] unless user.is_a?(User)
return [] if user.blocked?
if subject.is_a?(CommitStatus)
rules = project_abilities(user, subject)
rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
return rules
end
case subject.class.name
when "Project" then project_abilities(user, subject)
when "Issue" then issue_abilities(user, subject)
......@@ -25,6 +31,10 @@ class Ability
case true
when subject.is_a?(PersonalSnippet)
anonymous_personal_snippet_abilities(subject)
when subject.is_a?(CommitStatus)
rules = anonymous_project_abilities(subject)
rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
rules
when subject.is_a?(Project) || subject.respond_to?(:project)
anonymous_project_abilities(subject)
when subject.is_a?(Group) || subject.respond_to?(:group)
......@@ -396,6 +406,18 @@ class Ability
rules
end
def filter_build_abilities(rules)
# If we can't read build we should also not have that
# ability when looking at this in context of commit_status
unless rules.include?(:read_build)
rules -= [:read_commit_status]
end
unless rules.include?(:update_build)
rules -= [:update_commit_status]
end
rules
end
def abilities
@abilities ||= begin
abilities = Six.new
......
%tr.commit_status
%td.status
- if commit_status.target_url
- if can?(current_user, :read_commit_status, commit_status) && commit_status.target_url
= link_to commit_status.target_url, class: "ci-status ci-#{commit_status.status}" do
= ci_icon_for_status(commit_status.status)
= commit_status.status
......@@ -8,7 +8,7 @@
= ci_status_with_icon(commit_status.status)
%td.commit_status-link
- if can?(current_user, :read_build, commit_status.project) && commit_status.target_url
- if can?(current_user, :read_commit_status, commit_status) && commit_status.target_url
= link_to commit_status.target_url do
%strong ##{commit_status.id}
- else
......@@ -66,10 +66,10 @@
%td
.pull-right
- if can?(current_user, :read_build, commit_status.project) && commit_status.artifacts_download_url
- if can?(current_user, :read_commit_status, commit_status) && commit_status.artifacts_download_url
= link_to commit_status.artifacts_download_url, title: 'Download artifacts' do
%i.fa.fa-download
- if can?(current_user, :update_build, commit_status.project)
- if can?(current_user, :update_commit_status, commit_status)
- if commit_status.active?
- if commit_status.cancel_url
= link_to commit_status.cancel_url, method: :post, title: 'Cancel' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment