2018-11-18 11:00:15 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
module Ci
|
|
|
|
class PipelinePolicy < BasePolicy
|
2017-09-10 17:25:29 +05:30
|
|
|
delegate { @subject.project }
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
condition(:branch_allows_collaboration) do
|
|
|
|
@subject.project.branch_allows_collaboration?(@user, @subject.ref)
|
|
|
|
end
|
|
|
|
|
2019-02-02 18:00:53 +05:30
|
|
|
condition(:external_pipeline, scope: :subject, score: 0) do
|
|
|
|
@subject.external?
|
|
|
|
end
|
|
|
|
|
|
|
|
# Disallow users without permissions from accessing internal pipelines
|
|
|
|
rule { ~can?(:read_build) & ~external_pipeline }.policy do
|
|
|
|
prevent :read_pipeline
|
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
rule { protected_ref }.prevent :update_pipeline
|
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
rule { can?(:public_access) & branch_allows_collaboration }.policy do
|
|
|
|
enable :update_pipeline
|
|
|
|
end
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
rule { can?(:owner_access) }.policy do
|
|
|
|
enable :destroy_pipeline
|
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
def ref_protected?(user, project, tag, ref)
|
|
|
|
access = ::Gitlab::UserAccess.new(user, project: project)
|
|
|
|
|
|
|
|
if tag
|
|
|
|
!access.can_create_tag?(ref)
|
2017-09-10 17:25:29 +05:30
|
|
|
else
|
2018-03-17 18:26:18 +05:30
|
|
|
!access.can_update_branch?(ref)
|
2017-09-10 17:25:29 +05:30
|
|
|
end
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|