Commit 47b93fd7 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Don't check permission, only protected ref if no user

parent 3c71c12b
...@@ -27,7 +27,7 @@ module Ci ...@@ -27,7 +27,7 @@ module Ci
return error('Reference not found') return error('Reference not found')
end end
unless Ci::Pipeline.allowed_to_create?(current_user, project, ref) unless triggering_user_allowed_for_ref?(trigger_request, ref)
return error("Insufficient permissions for protected #{ref}") return error("Insufficient permissions for protected #{ref}")
end end
...@@ -56,6 +56,14 @@ module Ci ...@@ -56,6 +56,14 @@ module Ci
private private
def triggering_user_allowed_for_ref?(trigger_request, ref)
triggering_user = current_user || trigger_request.trigger.owner
(triggering_user &&
Ci::Pipeline.allowed_to_create?(triggering_user, project, ref)) ||
!project.protected_for?(ref)
end
def process! def process!
Ci::Pipeline.transaction do Ci::Pipeline.transaction do
update_merge_requests_head_pipeline if pipeline.save update_merge_requests_head_pipeline if pipeline.save
......
...@@ -10,13 +10,19 @@ describe Ci::CreatePipelineService, services: true do ...@@ -10,13 +10,19 @@ describe Ci::CreatePipelineService, services: true do
end end
describe '#execute' do describe '#execute' do
def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: ref_name) def execute_service(
source: :push,
after: project.commit.id,
message: 'Message',
ref: ref_name,
trigger_request: nil)
params = { ref: ref, params = { ref: ref,
before: '00000000', before: '00000000',
after: after, after: after,
commits: [{ message: message }] } commits: [{ message: message }] }
described_class.new(project, user, params).execute(source) described_class.new(project, user, params).execute(
source, trigger_request: trigger_request)
end end
context 'valid params' do context 'valid params' do
...@@ -337,6 +343,53 @@ describe Ci::CreatePipelineService, services: true do ...@@ -337,6 +343,53 @@ describe Ci::CreatePipelineService, services: true do
expect(Ci::Pipeline.count).to eq(1) expect(Ci::Pipeline.count).to eq(1)
end end
end end
context 'when trigger belongs to no one' do
let(:user) {}
let(:trigger_request) { create(:ci_trigger_request) }
it 'does not create a pipeline' do
expect(execute_service(trigger_request: trigger_request))
.not_to be_persisted
expect(Ci::Pipeline.count).to eq(0)
end
end
context 'when trigger belongs to a developer' do
let(:user) {}
let(:trigger_request) do
create(:ci_trigger_request).tap do |request|
user = create(:user)
project.add_developer(user)
request.trigger.update(owner: user)
end
end
it 'does not create a pipeline' do
expect(execute_service(trigger_request: trigger_request))
.not_to be_persisted
expect(Ci::Pipeline.count).to eq(0)
end
end
context 'when trigger belongs to a master' do
let(:user) {}
let(:trigger_request) do
create(:ci_trigger_request).tap do |request|
user = create(:user)
project.add_master(user)
request.trigger.update(owner: user)
end
end
it 'does not create a pipeline' do
expect(execute_service(trigger_request: trigger_request))
.to be_persisted
expect(Ci::Pipeline.count).to eq(1)
end
end
end end
context 'when ref is a protected branch' do context 'when ref is a protected branch' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment