From 846f73b53b8a6d3bc1f18607630d7a7853cb9d13 Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Wed, 9 May 2018 14:46:34 +0200 Subject: Allow group runners to be viewed/edited in API --- lib/api/runners.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index 5f2a9567605..1b528a8490c 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -205,6 +205,7 @@ module API def authenticate_enable_runner!(runner) forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner is locked") if runner.locked? + forbidden!("Runner is a group runner") if runner.group_type? return if current_user.admin? forbidden!("No access granted") unless user_can_access_runner?(runner) -- cgit v1.2.1 From 7320684c00ada153c0a9b102f8cf2db38367129a Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Wed, 9 May 2018 16:41:15 +0200 Subject: Use can? policies for lib/api/runners.rb --- lib/api/runners.rb | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index 1b528a8490c..db9cff80cf9 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -184,14 +184,14 @@ module API def authenticate_show_runner!(runner) return if runner.is_shared || current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :read_runner, runner) end def authenticate_update_runner!(runner) return if current_user.admin? forbidden!("Runner is shared") if runner.is_shared? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :update_runner, runner) end def authenticate_delete_runner!(runner) @@ -199,7 +199,7 @@ module API forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner associated with more than one project") if runner.projects.count > 1 - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :delete_runner, runner) end def authenticate_enable_runner!(runner) @@ -208,17 +208,13 @@ module API forbidden!("Runner is a group runner") if runner.group_type? return if current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :assign_runner, runner) end def authenticate_list_runners_jobs!(runner) return if current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) - end - - def user_can_access_runner?(runner) - current_user.ci_authorized_runners.exists?(runner.id) + forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner) end end end -- cgit v1.2.1 From c3f9d80a6e0950361e056ded4107015d3923f56d Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Thu, 10 May 2018 14:42:55 +0200 Subject: Rename User#ci_authorized_runners -> ci_owned_runners --- lib/api/runners.rb | 2 +- lib/api/v3/runners.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index db9cff80cf9..4f12aeac1fd 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -14,7 +14,7 @@ module API use :pagination end get do - runners = filter_runners(current_user.ci_authorized_runners, params[:scope], without: %w(specific shared)) + runners = filter_runners(current_user.ci_owned_runners, params[:scope], without: %w(specific shared)) present paginate(runners), with: Entities::Runner end diff --git a/lib/api/v3/runners.rb b/lib/api/v3/runners.rb index c6d9957d452..8a5c46805bd 100644 --- a/lib/api/v3/runners.rb +++ b/lib/api/v3/runners.rb @@ -58,7 +58,7 @@ module API end def user_can_access_runner?(runner) - current_user.ci_authorized_runners.exists?(runner.id) + current_user.ci_owned_runners.exists?(runner.id) end end end -- cgit v1.2.1 From 8583e4a1478ffe94dfd75c51c8480b323cada6df Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Thu, 10 May 2018 14:53:24 +0200 Subject: Change policy list_runner_jobs -> read_runner --- lib/api/runners.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index 4f12aeac1fd..c6dc40ae789 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -214,7 +214,7 @@ module API def authenticate_list_runners_jobs!(runner) return if current_user.admin? - forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner) + forbidden!("No access granted") unless can?(current_user, :read_runner, runner) end end end -- cgit v1.2.1 From b35d16a77f6a63db756a94eeff3788e819e7ed04 Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Fri, 11 May 2018 10:10:22 +0200 Subject: Allow admin to assign shared runner to project through API --- lib/api/runners.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index c6dc40ae789..0fb125a6944 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -203,11 +203,11 @@ module API end def authenticate_enable_runner!(runner) - forbidden!("Runner is shared") if runner.is_shared? - forbidden!("Runner is locked") if runner.locked? forbidden!("Runner is a group runner") if runner.group_type? + return if current_user.admin? + forbidden!("Runner is locked") if runner.locked? forbidden!("No access granted") unless can?(current_user, :assign_runner, runner) end -- cgit v1.2.1 From 983bc6b175ab47fafefe2866dd19c3fdb98c2b84 Mon Sep 17 00:00:00 2001 From: Dylan Griffith Date: Fri, 11 May 2018 10:56:02 +0200 Subject: Remove unnecessary runner.is_shared? checks in api because they are handled by policy --- lib/api/runners.rb | 2 -- 1 file changed, 2 deletions(-) (limited to 'lib') diff --git a/lib/api/runners.rb b/lib/api/runners.rb index 0fb125a6944..5cb96d467c0 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -190,14 +190,12 @@ module API def authenticate_update_runner!(runner) return if current_user.admin? - forbidden!("Runner is shared") if runner.is_shared? forbidden!("No access granted") unless can?(current_user, :update_runner, runner) end def authenticate_delete_runner!(runner) return if current_user.admin? - forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner associated with more than one project") if runner.projects.count > 1 forbidden!("No access granted") unless can?(current_user, :delete_runner, runner) end -- cgit v1.2.1