diff options
| author | Lin Jen-Shin <godfat@godfat.org> | 2017-07-17 16:49:54 +0800 | 
|---|---|---|
| committer | Lin Jen-Shin <godfat@godfat.org> | 2017-07-17 16:49:54 +0800 | 
| commit | c82a642b51ad9a206e97072813b64479a0a6cd4c (patch) | |
| tree | 40b8b71650649efb4781840a6965a787f6b57227 | |
| parent | 5f32bd774ad5cb89685dab5102e0614b2593d4ff (diff) | |
| download | gitlab-ce-c82a642b51ad9a206e97072813b64479a0a6cd4c.tar.gz | |
Protect manual actions against protected tag too
| -rw-r--r-- | app/policies/ci/build_policy.rb | 7 | ||||
| -rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 25 | 
2 files changed, 23 insertions, 9 deletions
| diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index a886efc1360..71ecb5bca8d 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -3,9 +3,10 @@ module Ci      condition(:protected_action) do        next false unless @subject.action? -      !::Gitlab::UserAccess -        .new(@user, project: @subject.project) -        .can_merge_to_branch?(@subject.ref) +      access = ::Gitlab::UserAccess.new(@user, project: @subject.project) + +      !access.can_merge_to_branch?(@subject.ref) || +        !access.can_create_tag?(@subject.ref)      end      rule { protected_action }.prevent :update_build diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index ace95ac7067..aa62e675d37 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -103,12 +103,7 @@ describe Ci::BuildPolicy, :models do          project.add_developer(user)        end -      context 'when branch build is assigned to is protected' do -        before do -          create(:protected_branch, :no_one_can_push, -                 name: 'some-ref', project: project) -        end - +      shared_examples 'protected ref' do          context 'when build is a manual action' do            let(:build) do              create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) @@ -130,6 +125,24 @@ describe Ci::BuildPolicy, :models do          end        end +      context 'when build is against a protected branch' do +        before do +          create(:protected_branch, :no_one_can_push, +                 name: 'some-ref', project: project) +        end + +        it_behaves_like 'protected ref' +      end + +      context 'when build is against a protected tag' do +        before do +          create(:protected_tag, :no_one_can_create, +                 name: 'some-ref', project: project) +        end + +        it_behaves_like 'protected ref' +      end +        context 'when branch build is assigned to is not protected' do          context 'when build is a manual action' do            let(:build) { create(:ci_build, :manual, pipeline: pipeline) } | 
