Merge branch 'master' into 46381-dropdown-mr-widget46381-dropdown-mr-widget

* master: (40 commits) Add changelog Update quick_start_guide.md Resolve "Opening Project with invite but without accepting leads to 404 error page" Respect the inheritance chain between Ci::Build and CommitStatus Remove unneccessary imports fixed copy to cliboard button in embedded snippets Fix Error 500 viewing admin page due to statement timeouts Grant privileges after database is created Only setup db in the first checkout! Project Sidebar: Split CI/CD into CI/CD and Operations Fix GPM content types for Doorkeeper Workhorse to send raw diff and patch for commits Refactor out duplication in runner_policy.rb Remove unnecessary runner.is_shared? checks in api because they are handled by policy Allow admin to assign shared runner to project through API Change policy list_runner_jobs -> read_runner Rename User#ci_authorized_runners -> ci_owned_runners Improve efficiency of authorized_runner policy query Use can? policies for lib/api/runners.rb Allow group runners to be viewed/edited in API ...
author: Filipa Lacerda <filipa@gitlab.com> 2018-05-17 15:40:39 +0100
committer: Filipa Lacerda <filipa@gitlab.com> 2018-05-17 15:40:39 +0100
commit: 49673de34f326a15d3358cb4ff22a73dfa5d4b20 (patch)
tree: 456d5744b1afb95ce12d7a2364f2dd7842b88a0d /lib/api
parent: 9e61d26c35acd6e60ac0fb0df711dbfdfda7c448 (diff)
parent: d9b78477000dafc4f8b8fd7e795e97649b8c6718 (diff)
download: gitlab-ce-46381-dropdown-mr-widget.tar.gz
4 files changed, 12 insertions, 15 deletions
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index 92e3d5cc10a..0d125cd7831 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -165,6 +165,7 @@ module API
         group = find_group!(params[:id])
         authorize! :admin_group, group
 
+        Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/46285')
         destroy_conditionally!(group) do |group|
           ::Groups::DestroyService.new(group, current_user).execute
         end
diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index 5f2a9567605..5cb96d467c0 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -14,7 +14,7 @@ module API
         use :pagination
       end
       get do
-        runners = filter_runners(current_user.ci_authorized_runners, params[:scope], without: %w(specific shared))
+        runners = filter_runners(current_user.ci_owned_runners, params[:scope], without: %w(specific shared))
         present paginate(runners), with: Entities::Runner
       end
 
@@ -184,40 +184,35 @@ module API
       def authenticate_show_runner!(runner)
         return if runner.is_shared || current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :read_runner, runner)
       end
 
       def authenticate_update_runner!(runner)
         return if current_user.admin?
 
-        forbidden!("Runner is shared") if runner.is_shared?
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :update_runner, runner)
       end
 
       def authenticate_delete_runner!(runner)
         return if current_user.admin?
 
-        forbidden!("Runner is shared") if runner.is_shared?
         forbidden!("Runner associated with more than one project") if runner.projects.count > 1
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :delete_runner, runner)
       end
 
       def authenticate_enable_runner!(runner)
-        forbidden!("Runner is shared") if runner.is_shared?
-        forbidden!("Runner is locked") if runner.locked?
+        forbidden!("Runner is a group runner") if runner.group_type?
+
         return if current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("Runner is locked") if runner.locked?
+        forbidden!("No access granted") unless can?(current_user, :assign_runner, runner)
       end
 
       def authenticate_list_runners_jobs!(runner)
         return if current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
-      end
-
-      def user_can_access_runner?(runner)
-        current_user.ci_authorized_runners.exists?(runner.id)
+        forbidden!("No access granted") unless can?(current_user, :read_runner, runner)
       end
     end
   end
diff --git a/lib/api/v3/groups.rb b/lib/api/v3/groups.rb
index 2c52d21fa1c..3844fd4810d 100644
--- a/lib/api/v3/groups.rb
+++ b/lib/api/v3/groups.rb
@@ -131,6 +131,7 @@ module API
         delete ":id" do
           group = find_group!(params[:id])
           authorize! :admin_group, group
+          Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab-ce/issues/46285')
           present ::Groups::DestroyService.new(group, current_user).execute, with: Entities::GroupDetail, current_user: current_user
         end
 
diff --git a/lib/api/v3/runners.rb b/lib/api/v3/runners.rb
index c6d9957d452..8a5c46805bd 100644
--- a/lib/api/v3/runners.rb
+++ b/lib/api/v3/runners.rb
@@ -58,7 +58,7 @@ module API
         end
 
         def user_can_access_runner?(runner)
-          current_user.ci_authorized_runners.exists?(runner.id)
+          current_user.ci_owned_runners.exists?(runner.id)
         end
       end
     end
author	Filipa Lacerda <filipa@gitlab.com>	2018-05-17 15:40:39 +0100
committer	Filipa Lacerda <filipa@gitlab.com>	2018-05-17 15:40:39 +0100
commit	49673de34f326a15d3358cb4ff22a73dfa5d4b20 (patch)
tree	456d5744b1afb95ce12d7a2364f2dd7842b88a0d /lib/api
parent	9e61d26c35acd6e60ac0fb0df711dbfdfda7c448 (diff)
parent	d9b78477000dafc4f8b8fd7e795e97649b8c6718 (diff)
download	gitlab-ce-46381-dropdown-mr-widget.tar.gz