Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ad373295
Commit
ad373295
authored
Dec 07, 2017
by
Stan Hu
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor common protected ref check
parent
87118872
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
102 additions
and
16 deletions
+102
-16
app/policies/ci/pipeline_policy.rb
app/policies/ci/pipeline_policy.rb
+9
-7
app/policies/ci/pipeline_schedule_policy.rb
app/policies/ci/pipeline_schedule_policy.rb
+1
-9
spec/policies/ci/pipeline_schedule_policy_spec.rb
spec/policies/ci/pipeline_schedule_policy_spec.rb
+92
-0
No files found.
app/policies/ci/pipeline_policy.rb
View file @
ad373295
...
...
@@ -2,16 +2,18 @@ module Ci
class
PipelinePolicy
<
BasePolicy
delegate
{
@subject
.
project
}
condition
(
:protected_ref
)
do
access
=
::
Gitlab
::
UserAccess
.
new
(
@user
,
project:
@subject
.
project
)
condition
(
:protected_ref
)
{
ref_protected?
(
@user
,
@subject
.
project
,
@subject
.
tag?
,
@subject
.
ref
)
}
if
@subject
.
tag?
!
access
.
can_create_tag?
(
@subject
.
ref
)
rule
{
protected_ref
}.
prevent
:update_pipeline
def
ref_protected?
(
user
,
project
,
tag
,
ref
)
access
=
::
Gitlab
::
UserAccess
.
new
(
user
,
project:
project
)
if
tag
!
access
.
can_create_tag?
(
ref
)
else
!
access
.
can_update_branch?
(
@subject
.
ref
)
!
access
.
can_update_branch?
(
ref
)
end
end
rule
{
protected_ref
}.
prevent
:update_pipeline
end
end
app/policies/ci/pipeline_schedule_policy.rb
View file @
ad373295
...
...
@@ -3,15 +3,7 @@ module Ci
alias_method
:pipeline_schedule
,
:subject
condition
(
:protected_ref
)
do
access
=
::
Gitlab
::
UserAccess
.
new
(
@user
,
project:
@subject
.
project
)
if
@subject
.
project
.
repository
.
branch_exists?
(
@subject
.
ref
)
!
access
.
can_update_branch?
(
@subject
.
ref
)
elsif
@subject
.
project
.
repository
.
tag_exists?
(
@subject
.
ref
)
!
access
.
can_create_tag?
(
@subject
.
ref
)
else
false
end
ref_protected?
(
@user
,
@subject
.
project
,
@subject
.
project
.
repository
.
tag_exists?
(
@subject
.
ref
),
@subject
.
ref
)
end
condition
(
:owner_of_schedule
)
do
...
...
spec/policies/ci/pipeline_schedule_policy_spec.rb
0 → 100644
View file @
ad373295
require
'spec_helper'
describe
Ci
::
PipelineSchedulePolicy
,
:models
do
set
(
:user
)
{
create
(
:user
)
}
set
(
:project
)
{
create
(
:project
,
:repository
)
}
set
(
:pipeline_schedule
)
{
create
(
:ci_pipeline_schedule
,
:nightly
,
project:
project
)
}
let
(
:policy
)
do
described_class
.
new
(
user
,
pipeline_schedule
)
end
describe
'rules'
do
describe
'rules for protected ref'
do
before
do
project
.
add_developer
(
user
)
end
context
'when no one can push or merge to the branch'
do
before
do
create
(
:protected_branch
,
:no_one_can_push
,
name:
pipeline_schedule
.
ref
,
project:
project
)
end
it
'does not include ability to play pipeline schedule'
do
expect
(
policy
).
to
be_disallowed
:play_pipeline_schedule
end
end
context
'when developers can push to the branch'
do
before
do
create
(
:protected_branch
,
:developers_can_merge
,
name:
pipeline_schedule
.
ref
,
project:
project
)
end
it
'includes ability to update pipeline'
do
expect
(
policy
).
to
be_allowed
:play_pipeline_schedule
end
end
context
'when no one can create the tag'
do
let
(
:tag
)
{
'v1.0.0'
}
before
do
pipeline_schedule
.
update
(
ref:
tag
)
create
(
:protected_tag
,
:no_one_can_create
,
name:
pipeline_schedule
.
ref
,
project:
project
)
end
it
'does not include ability to play pipeline schedule'
do
expect
(
policy
).
to
be_disallowed
:play_pipeline_schedule
end
end
context
'when no one can create the tag but it is not a tag'
do
before
do
create
(
:protected_tag
,
:no_one_can_create
,
name:
pipeline_schedule
.
ref
,
project:
project
)
end
it
'includes ability to play pipeline schedule'
do
expect
(
policy
).
to
be_allowed
:play_pipeline_schedule
end
end
end
describe
'rules for owner of schedule'
do
before
do
project
.
add_developer
(
user
)
pipeline_schedule
.
update
(
owner:
user
)
end
it
'includes abilities to do do all operations on pipeline schedule'
do
expect
(
policy
).
to
be_allowed
:play_pipeline_schedule
expect
(
policy
).
to
be_allowed
:update_pipeline_schedule
expect
(
policy
).
to
be_allowed
:admin_pipeline_schedule
end
end
describe
'rules for a master'
do
before
do
project
.
add_master
(
user
)
end
it
'includes abilities to do do all operations on pipeline schedule'
do
expect
(
policy
).
to
be_allowed
:play_pipeline_schedule
expect
(
policy
).
to
be_allowed
:update_pipeline_schedule
expect
(
policy
).
to
be_allowed
:admin_pipeline_schedule
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
