Merge branch '35069-protect-artifacts' into 'master'

Disallow developers to delete builds of protected branches Closes #35069 See merge request gitlab-org/gitlab!28881

Merge branch '35069-protect-artifacts' into 'master'
Disallow developers to delete builds of protected branches Closes #35069 See merge request gitlab-org/gitlab!28881
c305f5a4 · Grzegorz Bizon · 3bace174 · 1663e824 · c305f5a4 · c305f5a4
Commit c305f5a4 authored May 12, 2020 by Grzegorz Bizon
4 changed files
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -12,6 +12,14 @@ module Ci
      end
    end
+    condition(:unprotected_ref) do
+      if @subject.tag?
+        !ProtectedTag.protected?(@subject.project, @subject.ref)
+      else
+        !ProtectedBranch.protected?(@subject.project, @subject.ref)
+      end
+    end
    condition(:owner_of_job) do
      @subject.triggered_by?(@user)
    end
@@ -34,7 +42,7 @@ module Ci
      prevent :erase_build
    end
-    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job) }.enable :erase_build
+    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_build

--- a/changelogs/unreleased/35069-protect-builds.yml
+++ b/changelogs/unreleased/35069-protect-builds.yml
+---
+title: Disallow developers to delete builds of protected branches
+merge_request: 28881
+author: Alexander Kutelev
+type: changed
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -403,7 +403,9 @@ instance and project. In addition, all admins can use the admin interface under
 | See events in the system              |                 |             |          | ✓      |
 | Admin interface                       |                 |             |          | ✓      |
-1. Only if the job was triggered by the user
+1. Only if the job was:
+   - Triggered by the user
+   - [Since GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/35069), not run for a protected branch
 ### Job permissions

--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -176,15 +176,21 @@ describe Ci::BuildPolicy do
        end
        context 'when developers can push to the branch' do
-          before do
-            create(:protected_branch, :developers_can_push,
-                   name: build.ref, project: project)
-          end
          context 'when the build was created by the developer' do
            let(:owner) { user }
-            it { expect(policy).to be_allowed :erase_build }
+            context 'when the build was created for a protected ref' do
+              before do
+                create(:protected_branch, :developers_can_push,
+                       name: build.ref, project: project)
+              end
+              it { expect(policy).to be_disallowed :erase_build }
+            end
+            context 'when the build was created for an unprotected ref' do
+              it { expect(policy).to be_allowed :erase_build }
+            end
          end
          context 'when the build was created by the other' do