summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGrzegorz Bizon <grzesiek.bizon@gmail.com>2017-04-12 11:26:18 +0200
committerGrzegorz Bizon <grzesiek.bizon@gmail.com>2017-04-12 11:26:18 +0200
commitb09465f38d66d7ff6074843177bcdb7d72caf07f (patch)
tree40ccff4e2c64cd5f180c4dfff66f38e1536b5056
parent7bcca2284b09e18438e6163c6ead72e10fdd2f57 (diff)
downloadgitlab-ce-b09465f38d66d7ff6074843177bcdb7d72caf07f.tar.gz
Implement new rule for manual actions in policies
-rw-r--r--app/policies/ci/build_policy.rb14
-rw-r--r--spec/policies/ci/build_policy_spec.rb53
2 files changed, 67 insertions, 0 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 8b25332b73c..0522cbdb331 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -8,6 +8,20 @@ module Ci
%w[read create update admin].each do |rule|
cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
end
+
+ can! :play_build if can_play_action?
+ end
+
+ private
+
+ alias_method :build, :subject
+
+ def can_play_action?
+ return false unless build.playable?
+
+ ::Gitlab::UserAccess
+ .new(user, project: build.project)
+ .can_push_to_branch?(build.ref)
end
end
end
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index 0f280f32eac..e4693cdcef0 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -89,5 +89,58 @@ describe Ci::BuildPolicy, :models do
end
end
end
+
+ describe 'rules for manual actions' do
+ let(:project) { create(:project) }
+
+ before do
+ project.add_developer(user)
+ end
+
+ context 'when branch build is assigned to is protected' do
+ before do
+ create(:protected_branch, :no_one_can_push,
+ name: 'some-ref', project: project)
+ end
+
+ context 'when build is a manual action' do
+ let(:build) do
+ create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
+ end
+
+ it 'does not include ability to play build' do
+ expect(policies).not_to include :play_build
+ end
+ end
+
+ context 'when build is not a manual action' do
+ let(:build) do
+ create(:ci_build, ref: 'some-ref', pipeline: pipeline)
+ end
+
+ it 'does not include ability to play build' do
+ expect(policies).not_to include :play_build
+ end
+ end
+ end
+
+ context 'when branch build is assigned to is not protected' do
+ context 'when build is a manual action' do
+ let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
+
+ it 'includes ability to play build' do
+ expect(policies).to include :play_build
+ end
+ end
+
+ context 'when build is not a manual action' do
+ let(:build) { create(:ci_build, pipeline: pipeline) }
+
+ it 'does not include ability to play build' do
+ expect(policies).not_to include :play_build
+ end
+ end
+ end
+ end
end
end