Commit 6e8ea52b authored by Shinya Maeda's avatar Shinya Maeda

Add functionality and security.

parent e364c118
...@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController ...@@ -33,6 +33,8 @@ class Projects::PipelineSchedulesController < Projects::ApplicationController
end end
def update def update
return access_denied! unless can?(current_user, :update_pipeline_schedule, schedule)
if Ci::CreatePipelineScheduleService if Ci::CreatePipelineScheduleService
.new(@project, current_user, schedule_params).update(schedule) .new(@project, current_user, schedule_params).update(schedule)
redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project) redirect_to namespace_project_pipeline_schedules_path(@project.namespace.becomes(Namespace), @project)
......
...@@ -2,24 +2,14 @@ module Ci ...@@ -2,24 +2,14 @@ module Ci
class PipelineSchedulePolicy < PipelinePolicy class PipelineSchedulePolicy < PipelinePolicy
alias_method :pipeline_schedule, :subject alias_method :pipeline_schedule, :subject
condition(:protected_action) do def rules
owned_by_developer? && owned_by_another? super
end
rule { protected_action }.prevent :update_pipeline_schedule
private
def owned_by_developer?
return false unless @user
pipeline_schedule.project.team.developer?(@user)
end
def owned_by_another? access = pipeline_schedule.project.team.max_member_access(user.id)
return false unless @user
!pipeline_schedule.owned_by?(@user) if access == Gitlab::Access::DEVELOPER && pipeline_schedule.owner != user
cannot! :update_pipeline_schedule
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment