2016-08-16 15:05:44 -04:00
|
|
|
module Ci
|
|
|
|
|
class BuildPolicy < CommitStatusPolicy
|
2017-05-05 06:25:24 -04:00
|
|
|
alias_method :build, :subject
|
|
|
|
|
|
2016-08-16 15:05:44 -04:00
|
|
|
def rules
|
|
|
|
|
super
|
|
|
|
|
|
|
|
|
|
# If we can't read build we should also not have that
|
|
|
|
|
# ability when looking at this in context of commit_status
|
2016-10-21 06:16:39 -04:00
|
|
|
%w[read create update admin].each do |rule|
|
2016-08-16 15:05:44 -04:00
|
|
|
cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
|
|
|
|
|
end
|
2017-04-12 05:26:18 -04:00
|
|
|
|
2017-05-05 06:25:24 -04:00
|
|
|
if can?(:update_build) && protected_action?
|
|
|
|
|
cannot! :update_build
|
|
|
|
|
end
|
2017-04-12 05:26:18 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
2017-05-05 06:25:24 -04:00
|
|
|
def protected_action?
|
2017-04-12 05:46:24 -04:00
|
|
|
return false unless build.action?
|
2017-04-12 05:26:18 -04:00
|
|
|
|
2017-05-05 06:25:24 -04:00
|
|
|
!::Gitlab::UserAccess
|
2017-04-12 05:26:18 -04:00
|
|
|
.new(user, project: build.project)
|
|
|
|
|
.can_push_to_branch?(build.ref)
|
2016-08-16 15:05:44 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
