Commit 1663e824 authored by Alexander Kutelev's avatar Alexander Kutelev Committed by Alexander Kutelev

Disallow developers to delete builds of protected branches.

parent 35b18fe2
...@@ -12,6 +12,14 @@ module Ci ...@@ -12,6 +12,14 @@ module Ci
end end
end end
condition(:unprotected_ref) do
if @subject.tag?
!ProtectedTag.protected?(@subject.project, @subject.ref)
else
!ProtectedBranch.protected?(@subject.project, @subject.ref)
end
end
condition(:owner_of_job) do condition(:owner_of_job) do
@subject.triggered_by?(@user) @subject.triggered_by?(@user)
end end
...@@ -34,7 +42,7 @@ module Ci ...@@ -34,7 +42,7 @@ module Ci
prevent :erase_build prevent :erase_build
end end
rule { can?(:admin_build) | (can?(:update_build) & owner_of_job) }.enable :erase_build rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
rule { can?(:public_access) & branch_allows_collaboration }.policy do rule { can?(:public_access) & branch_allows_collaboration }.policy do
enable :update_build enable :update_build
......
---
title: Disallow developers to delete builds of protected branches
merge_request: 28881
author: Alexander Kutelev
type: changed
...@@ -379,7 +379,9 @@ instance and project. In addition, all admins can use the admin interface under ...@@ -379,7 +379,9 @@ instance and project. In addition, all admins can use the admin interface under
| See events in the system | | | | ✓ | | See events in the system | | | | ✓ |
| Admin interface | | | | ✓ | | Admin interface | | | | ✓ |
1. Only if the job was triggered by the user 1. Only if the job was:
- Triggered by the user
- [Since GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/35069), not run for a protected branch
### Job permissions ### Job permissions
......
...@@ -176,15 +176,21 @@ describe Ci::BuildPolicy do ...@@ -176,15 +176,21 @@ describe Ci::BuildPolicy do
end end
context 'when developers can push to the branch' do context 'when developers can push to the branch' do
before do
create(:protected_branch, :developers_can_push,
name: build.ref, project: project)
end
context 'when the build was created by the developer' do context 'when the build was created by the developer' do
let(:owner) { user } let(:owner) { user }
it { expect(policy).to be_allowed :erase_build } context 'when the build was created for a protected ref' do
before do
create(:protected_branch, :developers_can_push,
name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
end
context 'when the build was created for an unprotected ref' do
it { expect(policy).to be_allowed :erase_build }
end
end end
context 'when the build was created by the other' do context 'when the build was created by the other' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment