debian-mirror-gitlab/app/policies/ci/pipeline_policy.rb

# frozen_string_literal: true

module Ci
  class PipelinePolicy < BasePolicy
    delegate { @subject.project }

    condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }

    condition(:branch_allows_collaboration) do
      @subject.project.branch_allows_collaboration?(@user, @subject.ref)
    end

    condition(:external_pipeline, scope: :subject, score: 0) do
      @subject.external?
    end

    condition(:triggerer_of_pipeline) do
      @subject.triggered_by?(@user)
    end

    # Disallow users without permissions from accessing internal pipelines
    rule { ~can?(:read_build) & ~external_pipeline }.policy do
      prevent :read_pipeline
    end

    rule { protected_ref }.prevent :update_pipeline

    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_pipeline
    end

    rule { can?(:owner_access) }.policy do
      enable :destroy_pipeline
    end

    rule { can?(:admin_pipeline) }.policy do
      enable :read_pipeline_variable
    end

    rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do
      enable :read_pipeline_variable
    end

    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, container: project)

      if tag
        !access.can_create_tag?(ref)
      else
        !access.can_update_branch?(ref)
      end
    end
  end
end
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`# frozen_string_literal: true`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`module Ci`
			`class PipelinePolicy < BasePolicy`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`delegate { @subject.project }`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`condition(:branch_allows_collaboration) do`
			`@subject.project.branch_allows_collaboration?(@user, @subject.ref)`
			`end`

New upstream version 11.5.10+dfsg 2019-02-02 18:00:53 +05:30			`condition(:external_pipeline, scope: :subject, score: 0) do`
			`@subject.external?`
			`end`

New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`condition(:triggerer_of_pipeline) do`
			`@subject.triggered_by?(@user)`
			`end`

New upstream version 11.5.10+dfsg 2019-02-02 18:00:53 +05:30			`# Disallow users without permissions from accessing internal pipelines`
			`rule { ~can?(:read_build) & ~external_pipeline }.policy do`
			`prevent :read_pipeline`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`rule { protected_ref }.prevent :update_pipeline`

New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`rule { can?(:public_access) & branch_allows_collaboration }.policy do`
			`enable :update_pipeline`
			`end`

New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`rule { can?(:owner_access) }.policy do`
			`enable :destroy_pipeline`
			`end`

New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`rule { can?(:admin_pipeline) }.policy do`
			`enable :read_pipeline_variable`
			`end`

			`rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do`
			`enable :read_pipeline_variable`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def ref_protected?(user, project, tag, ref)`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`access = ::Gitlab::UserAccess.new(user, container: project)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`if tag`
			`!access.can_create_tag?(ref)`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`else`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`!access.can_update_branch?(ref)`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`
			`end`
			`end`