Make sure it checks against the tag only when it's a tag

7426e616 · Lin Jen-Shin · ef2e9879 · 7426e616 · 7426e616
Commit 7426e616 authored Jul 18, 2017 by Lin Jen-Shin
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

app/policies/ci/build_policy.rb app/policies/ci/build_policy.rb +4 -1

spec/policies/ci/build_policy_spec.rb spec/policies/ci/build_policy_spec.rb +19 -0

No files found.
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -5,8 +5,11 @@ module Ci

      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)

-      !access.can_merge_to_branch?(@subject.ref) ||
+      if @subject.tag?
        !access.can_create_tag?(@subject.ref)
+      else
+        !access.can_merge_to_branch?(@subject.ref)
+      end
    end

    rule { protected_action }.prevent :update_build

--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -138,11 +138,30 @@ describe Ci::BuildPolicy, :models do
        before do
          create(:protected_tag, :no_one_can_create,
                 name: 'some-ref', project: project)
+
+          build.update(tag: true)
        end

        it_behaves_like 'protected ref'
      end

+      context 'when build is against a protected tag but it is not a tag' do
+        before do
+          create(:protected_tag, :no_one_can_create,
+                 name: 'some-ref', project: project)
+        end
+
+        context 'when build is a manual action' do
+          let(:build) do
+            create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
+          end
+
+          it 'includes ability to update build' do
+            expect(policy).to be_allowed :update_build
+          end
+        end
+      end
+
      context 'when branch build is assigned to is not protected' do
        context 'when build is a manual action' do
          let(:build) { create(:ci_build, :manual, pipeline: pipeline) }