From 846f73b53b8a6d3bc1f18607630d7a7853cb9d13 Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Wed, 9 May 2018 14:46:34 +0200
Subject: Allow group runners to be viewed/edited in API

---
 lib/api/runners.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index 5f2a9567605..1b528a8490c 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -205,6 +205,7 @@ module API
       def authenticate_enable_runner!(runner)
         forbidden!("Runner is shared") if runner.is_shared?
         forbidden!("Runner is locked") if runner.locked?
+        forbidden!("Runner is a group runner") if runner.group_type?
         return if current_user.admin?
 
         forbidden!("No access granted") unless user_can_access_runner?(runner)
-- 
cgit v1.2.1


From 7320684c00ada153c0a9b102f8cf2db38367129a Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Wed, 9 May 2018 16:41:15 +0200
Subject: Use can? policies for lib/api/runners.rb

---
 lib/api/runners.rb | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index 1b528a8490c..db9cff80cf9 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -184,14 +184,14 @@ module API
       def authenticate_show_runner!(runner)
         return if runner.is_shared || current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :read_runner, runner)
       end
 
       def authenticate_update_runner!(runner)
         return if current_user.admin?
 
         forbidden!("Runner is shared") if runner.is_shared?
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :update_runner, runner)
       end
 
       def authenticate_delete_runner!(runner)
@@ -199,7 +199,7 @@ module API
 
         forbidden!("Runner is shared") if runner.is_shared?
         forbidden!("Runner associated with more than one project") if runner.projects.count > 1
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :delete_runner, runner)
       end
 
       def authenticate_enable_runner!(runner)
@@ -208,17 +208,13 @@ module API
         forbidden!("Runner is a group runner") if runner.group_type?
         return if current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :assign_runner, runner)
       end
 
       def authenticate_list_runners_jobs!(runner)
         return if current_user.admin?
 
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
-      end
-
-      def user_can_access_runner?(runner)
-        current_user.ci_authorized_runners.exists?(runner.id)
+        forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner)
       end
     end
   end
-- 
cgit v1.2.1


From c3f9d80a6e0950361e056ded4107015d3923f56d Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Thu, 10 May 2018 14:42:55 +0200
Subject: Rename User#ci_authorized_runners -> ci_owned_runners

---
 lib/api/runners.rb    | 2 +-
 lib/api/v3/runners.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index db9cff80cf9..4f12aeac1fd 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -14,7 +14,7 @@ module API
         use :pagination
       end
       get do
-        runners = filter_runners(current_user.ci_authorized_runners, params[:scope], without: %w(specific shared))
+        runners = filter_runners(current_user.ci_owned_runners, params[:scope], without: %w(specific shared))
         present paginate(runners), with: Entities::Runner
       end
 
diff --git a/lib/api/v3/runners.rb b/lib/api/v3/runners.rb
index c6d9957d452..8a5c46805bd 100644
--- a/lib/api/v3/runners.rb
+++ b/lib/api/v3/runners.rb
@@ -58,7 +58,7 @@ module API
         end
 
         def user_can_access_runner?(runner)
-          current_user.ci_authorized_runners.exists?(runner.id)
+          current_user.ci_owned_runners.exists?(runner.id)
         end
       end
     end
-- 
cgit v1.2.1


From 8583e4a1478ffe94dfd75c51c8480b323cada6df Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Thu, 10 May 2018 14:53:24 +0200
Subject: Change policy list_runner_jobs -> read_runner

---
 lib/api/runners.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index 4f12aeac1fd..c6dc40ae789 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -214,7 +214,7 @@ module API
       def authenticate_list_runners_jobs!(runner)
         return if current_user.admin?
 
-        forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner)
+        forbidden!("No access granted") unless can?(current_user, :read_runner, runner)
       end
     end
   end
-- 
cgit v1.2.1


From b35d16a77f6a63db756a94eeff3788e819e7ed04 Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Fri, 11 May 2018 10:10:22 +0200
Subject: Allow admin to assign shared runner to project through API

---
 lib/api/runners.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index c6dc40ae789..0fb125a6944 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -203,11 +203,11 @@ module API
       end
 
       def authenticate_enable_runner!(runner)
-        forbidden!("Runner is shared") if runner.is_shared?
-        forbidden!("Runner is locked") if runner.locked?
         forbidden!("Runner is a group runner") if runner.group_type?
+
         return if current_user.admin?
 
+        forbidden!("Runner is locked") if runner.locked?
         forbidden!("No access granted") unless can?(current_user, :assign_runner, runner)
       end
 
-- 
cgit v1.2.1


From 983bc6b175ab47fafefe2866dd19c3fdb98c2b84 Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Fri, 11 May 2018 10:56:02 +0200
Subject: Remove unnecessary runner.is_shared? checks in api because they are
 handled by policy

---
 lib/api/runners.rb | 2 --
 1 file changed, 2 deletions(-)

(limited to 'lib')

diff --git a/lib/api/runners.rb b/lib/api/runners.rb
index 0fb125a6944..5cb96d467c0 100644
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -190,14 +190,12 @@ module API
       def authenticate_update_runner!(runner)
         return if current_user.admin?
 
-        forbidden!("Runner is shared") if runner.is_shared?
         forbidden!("No access granted") unless can?(current_user, :update_runner, runner)
       end
 
       def authenticate_delete_runner!(runner)
         return if current_user.admin?
 
-        forbidden!("Runner is shared") if runner.is_shared?
         forbidden!("Runner associated with more than one project") if runner.projects.count > 1
         forbidden!("No access granted") unless can?(current_user, :delete_runner, runner)
       end
-- 
cgit v1.2.1