Commit 9ecb85a4 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Forbid creating pipeline if it's protected and

cannot create the tag if it's a tag, and
cannot merge the branch if it's a branch.
parent 07e7ce31
......@@ -27,6 +27,12 @@ module Ci
return error('Reference not found')
end
if tag?
return error("#{ref} is protected") unless access.can_create_tag?(ref)
else
return error("#{ref} is protected") unless access.can_merge_to_branch?(ref)
end
unless commit
return error('Commit not found')
end
......@@ -94,6 +100,10 @@ module Ci
@commit ||= project.commit(origin_sha || origin_ref)
end
def access
@access ||= Gitlab::UserAccess.new(current_user, project: project)
end
def sha
commit.try(:id)
end
......
......@@ -3,13 +3,14 @@ require 'spec_helper'
describe Ci::CreatePipelineService, services: true do
let(:project) { create(:project, :repository) }
let(:user) { create(:admin) }
let(:ref_name) { 'refs/heads/master' }
before do
stub_ci_pipeline_to_return_yaml_file
end
describe '#execute' do
def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: 'refs/heads/master')
def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: ref_name)
params = { ref: ref,
before: '00000000',
after: after,
......@@ -311,5 +312,49 @@ describe Ci::CreatePipelineService, services: true do
end.not_to change { Environment.count }
end
end
shared_examples 'when ref is protected' do
let(:user) { create(:user) }
context 'when user is developer' do
before do
project.add_developer(user)
end
it 'does not create a pipeline' do
expect(execute_service).not_to be_persisted
expect(Ci::Pipeline.count).to eq(0)
end
end
context 'when user is master' do
before do
project.add_master(user)
end
it 'creates a pipeline' do
expect(execute_service).to be_persisted
expect(Ci::Pipeline.count).to eq(1)
end
end
end
context 'when ref is a protected branch' do
before do
create(:protected_branch, project: project, name: 'master')
end
it_behaves_like 'when ref is protected'
end
context 'when ref is a protected tag' do
let(:ref_name) { 'refs/tags/v1.0.0' }
before do
create(:protected_tag, project: project, name: '*')
end
it_behaves_like 'when ref is protected'
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment