Check branch access when user triggers manual action

5525db8b · Grzegorz Bizon · ee592f0d · 5525db8b · 5525db8b
Commit 5525db8b authored Apr 06, 2017 by Grzegorz Bizon
Show whitespace changes
Inline Side-by-side

Showing with 63 additions and 12 deletions

app/models/ci/build.rb app/models/ci/build.rb +10 -0

spec/models/ci/build_spec.rb spec/models/ci/build_spec.rb +53 -12

No files found.
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -115,7 +115,17 @@ module Ci
      commands.present?
    end
+    def can_play?(current_user)
+      ::Gitlab::UserAccess
+        .new(current_user, project: project)
+        .can_push_to_branch?(ref)
+    end
    def play(current_user)
+      unless can_play?(current_user)
+        raise Gitlab::Access::AccessDeniedError
+      end
      # Try to queue a current build
      if self.enqueue
        self.update(user: current_user)

--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -925,6 +925,33 @@ describe Ci::Build, :models do
    end
  end
+  describe '#can_play?' do
+    before do
+      project.add_developer(user)
+    end
+    let(:build) do
+      create(:ci_build, ref: 'some-ref', pipeline: pipeline)
+    end
+    context 'when branch build is running for is protected' do
+      before do
+        create(:protected_branch, :no_one_can_push,
+               name: 'some-ref', project: project)
+      end
+      it 'indicates that user can not trigger an action' do
+        expect(build.can_play?(user)).to be_falsey
+      end
+    end
+    context 'when branch build is running for is not protected' do
+      it 'indicates that user can trigger an action' do
+        expect(build.can_play?(user)).to be_truthy
+      end
+    end
+  end
  describe '#play' do
    let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
@@ -932,6 +959,19 @@ describe Ci::Build, :models do
      project.add_developer(user)
    end
+    context 'when user does not have ability to trigger action' do
+      before do
+        create(:protected_branch, :no_one_can_push,
+               name: build.ref, project: project)
+      end
+      it 'raises an error' do
+        expect { build.play(user) }
+          .to raise_error Gitlab::Access::AccessDeniedError
+      end
+    end
+    context 'when user has ability to trigger manual action' do
      context 'when build is manual' do
        it 'enqueues a build' do
          new_build = build.play(user)
@@ -941,7 +981,7 @@ describe Ci::Build, :models do
        end
      end
-    context 'when build is passed' do
+      context 'when build is not manual' do
        before do
          build.update(status: 'success')
        end
@@ -954,6 +994,7 @@ describe Ci::Build, :models do
        end
      end
    end
+  end
  describe 'project settings' do
    describe '#timeout' do