diff options
author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2017-04-12 11:26:18 +0200 |
---|---|---|
committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2017-04-12 11:26:18 +0200 |
commit | b09465f38d66d7ff6074843177bcdb7d72caf07f (patch) | |
tree | 40ccff4e2c64cd5f180c4dfff66f38e1536b5056 | |
parent | 7bcca2284b09e18438e6163c6ead72e10fdd2f57 (diff) | |
download | gitlab-ce-b09465f38d66d7ff6074843177bcdb7d72caf07f.tar.gz |
Implement new rule for manual actions in policies
-rw-r--r-- | app/policies/ci/build_policy.rb | 14 | ||||
-rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 53 |
2 files changed, 67 insertions, 0 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 8b25332b73c..0522cbdb331 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -8,6 +8,20 @@ module Ci %w[read create update admin].each do |rule| cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" end + + can! :play_build if can_play_action? + end + + private + + alias_method :build, :subject + + def can_play_action? + return false unless build.playable? + + ::Gitlab::UserAccess + .new(user, project: build.project) + .can_push_to_branch?(build.ref) end end end diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index 0f280f32eac..e4693cdcef0 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -89,5 +89,58 @@ describe Ci::BuildPolicy, :models do end end end + + describe 'rules for manual actions' do + let(:project) { create(:project) } + + before do + project.add_developer(user) + end + + context 'when branch build is assigned to is protected' do + before do + create(:protected_branch, :no_one_can_push, + name: 'some-ref', project: project) + end + + context 'when build is a manual action' do + let(:build) do + create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) + end + + it 'does not include ability to play build' do + expect(policies).not_to include :play_build + end + end + + context 'when build is not a manual action' do + let(:build) do + create(:ci_build, ref: 'some-ref', pipeline: pipeline) + end + + it 'does not include ability to play build' do + expect(policies).not_to include :play_build + end + end + end + + context 'when branch build is assigned to is not protected' do + context 'when build is a manual action' do + let(:build) { create(:ci_build, :manual, pipeline: pipeline) } + + it 'includes ability to play build' do + expect(policies).to include :play_build + end + end + + context 'when build is not a manual action' do + let(:build) { create(:ci_build, pipeline: pipeline) } + + it 'does not include ability to play build' do + expect(policies).not_to include :play_build + end + end + end + end end end |