diff options
| author | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-10 16:13:05 +0200 |
|---|---|---|
| committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-05-11 15:20:11 +0200 |
| commit | e0768a9bcb32e81fe18a77b21573969f45b47683 (patch) | |
| tree | 00e91e901cad4c4ae0a616cdf7b555b5773e3aad /lib | |
| parent | d801dd177483a8375f1656654ca3638c18550204 (diff) | |
| download | gitlab-ce-e0768a9bcb32e81fe18a77b21573969f45b47683.tar.gz | |
Allow triggered builds git access
Allow builds that have been triggered by a user before terms were
enforced access to git. That way the builds can complete as usual.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/build_access.rb | 12 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 6 |
2 files changed, 17 insertions, 1 deletions
diff --git a/lib/gitlab/build_access.rb b/lib/gitlab/build_access.rb new file mode 100644 index 00000000000..08a8f846ca5 --- /dev/null +++ b/lib/gitlab/build_access.rb @@ -0,0 +1,12 @@ +module Gitlab + class BuildAccess < UserAccess + attr_accessor :user, :project + + # This bypasses the `can?(:access_git)`-check we normally do in `UserAccess` + # for CI. That way if a user was able to trigger a pipeline, then the + # build is allowed to clone the project. + def can_access_git? + true + end + end +end diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 520b92a0363..db7c29be94b 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -105,7 +105,9 @@ module Gitlab end def check_active_user! - if user && !user_access.allowed? + return unless user + + unless user_access.allowed? message = Gitlab::Auth::UserAccessDeniedReason.new(user).rejection_message raise UnauthorizedError, message end @@ -338,6 +340,8 @@ module Gitlab def user_access @user_access ||= if ci? CiAccess.new + elsif user && request_from_ci_build? + BuildAccess.new(user, project: project) else UserAccess.new(user, project: project) end |