Disallow developers to delete builds of protected branches.

1663e824 · Alexander Kutelev · Alexander Kutelev · 35b18fe2 · 1663e824 · 1663e824
Commit 1663e824 authored Apr 05, 2020 by Alexander Kutelev Committed by Alexander Kutelev Apr 21, 2020
4 changed files
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -12,6 +12,14 @@ module Ci
      end
    end
+    condition(:unprotected_ref) do
+      if @subject.tag?
+        !ProtectedTag.protected?(@subject.project, @subject.ref)
+      else
+        !ProtectedBranch.protected?(@subject.project, @subject.ref)
+      end
+    end
    condition(:owner_of_job) do
      @subject.triggered_by?(@user)
    end
@@ -34,7 +42,7 @@ module Ci
      prevent :erase_build
    end
-    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job) }.enable :erase_build
+    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_build

--- a/changelogs/unreleased/35069-protect-builds.yml
+++ b/changelogs/unreleased/35069-protect-builds.yml
+---
+title: Disallow developers to delete builds of protected branches
+merge_request: 28881
+author: Alexander Kutelev
+type: changed
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -379,7 +379,9 @@ instance and project. In addition, all admins can use the admin interface under
 | See events in the system              |                 |             |          | ✓      |
 | Admin interface                       |                 |             |          | ✓      |
-1. Only if the job was triggered by the user
+1. Only if the job was:
+   - Triggered by the user
+   - [Since GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/35069), not run for a protected branch
 ### Job permissions

--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -176,16 +176,22 @@ describe Ci::BuildPolicy do
        end
        context 'when developers can push to the branch' do
+          context 'when the build was created by the developer' do
+            let(:owner) { user }
+            context 'when the build was created for a protected ref' do
              before do
                create(:protected_branch, :developers_can_push,
                       name: build.ref, project: project)
              end
-          context 'when the build was created by the developer' do
+              it { expect(policy).to be_disallowed :erase_build }
-            let(:owner) { user }
+            end
+            context 'when the build was created for an unprotected ref' do
              it { expect(policy).to be_allowed :erase_build }
            end
+          end
          context 'when the build was created by the other' do
            let(:owner) { create(:user) }