gitlab-org--gitlab-foss/app/policies/ci/pipeline_policy.rb

# frozen_string_literal: true

module Ci
  class PipelinePolicy < BasePolicy
    delegate { @subject.project }

    condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }

    condition(:branch_allows_collaboration) do
      @subject.project.branch_allows_collaboration?(@user, @subject.ref)
    end

    rule { protected_ref }.prevent :update_pipeline

    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_pipeline
    end

    rule { can?(:owner_access) }.policy do
      enable :destroy_pipeline
    end

    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, project: project)

      if tag
        !access.can_create_tag?(ref)
      else
        !access.can_update_branch?(ref)
      end
    end
  end
end
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 10:00:56 +00:00			`# frozen_string_literal: true`

Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 10:16:39 +00:00			`module Ci`
Do not inherit build policy in pipeline policy 2017-04-12 10:19:39 +00:00			`class PipelinePolicy < BasePolicy`
Fix bad conflict resolution 2017-07-03 21:20:44 +00:00			`delegate { @subject.project }`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 21:01:05 +00:00
Refactor common protected ref check 2017-12-08 07:49:55 +00:00			`condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 13:56:28 +00:00
Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-23 01:54:57 +00:00			`condition(:branch_allows_collaboration) do`
			`@subject.project.branch_allows_collaboration?(@user, @subject.ref)`
Enable update_(build\|pipeline) for maintainers 2018-05-15 08:18:22 +00:00			`end`

Refactor common protected ref check 2017-12-08 07:49:55 +00:00			`rule { protected_ref }.prevent :update_pipeline`

Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-23 01:54:57 +00:00			`rule { can?(:public_access) & branch_allows_collaboration }.policy do`
Enable update_(build\|pipeline) for maintainers 2018-05-15 08:18:22 +00:00			`enable :update_pipeline`
			`end`

Authorize DestroyPipelineService against pipeline 2018-11-13 16:17:01 +00:00			`rule { can?(:owner_access) }.policy do`
			`enable :destroy_pipeline`
			`end`

Refactor common protected ref check 2017-12-08 07:49:55 +00:00			`def ref_protected?(user, project, tag, ref)`
			`access = ::Gitlab::UserAccess.new(user, project: project)`

			`if tag`
			`!access.can_create_tag?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 13:56:28 +00:00			`else`
Refactor common protected ref check 2017-12-08 07:49:55 +00:00			`!access.can_update_branch?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 13:56:28 +00:00			`end`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 21:01:05 +00:00			`end`
Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 10:16:39 +00:00			`end`
			`end`