gitlab-org--gitlab-foss/app/policies/ci/pipeline_policy.rb

# frozen_string_literal: true

module Ci
  class PipelinePolicy < BasePolicy
    delegate { @subject.project }

    condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }

    condition(:branch_allows_collaboration) do
      @subject.project.branch_allows_collaboration?(@user, @subject.ref)
    end

    condition(:external_pipeline, scope: :subject, score: 0) do
      @subject.external?
    end

    condition(:triggerer_of_pipeline) do
      @subject.triggered_by?(@user)
    end

    # Disallow users without permissions from accessing internal pipelines
    rule { ~can?(:read_build) & ~external_pipeline }.policy do
      prevent :read_pipeline
    end

    rule { protected_ref }.prevent :update_pipeline

    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_pipeline
    end

    rule { can?(:owner_access) }.policy do
      enable :destroy_pipeline
    end

    rule { can?(:admin_pipeline) }.policy do
      enable :read_pipeline_variable
    end

    rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do
      enable :read_pipeline_variable
    end

    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, project: project)

      if tag
        !access.can_create_tag?(ref)
      else
        !access.can_update_branch?(ref)
      end
    end
  end
end
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 06:16:39 -04:00			`module Ci`
Do not inherit build policy in pipeline policy 2017-04-12 06:19:39 -04:00			`class PipelinePolicy < BasePolicy`
Fix bad conflict resolution 2017-07-03 17:20:44 -04:00			`delegate { @subject.project }`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00
Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00
Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-22 21:54:57 -04:00			`condition(:branch_allows_collaboration) do`
			`@subject.project.branch_allows_collaboration?(@user, @subject.ref)`
Enable update_(build\|pipeline) for maintainers 2018-05-15 04:18:22 -04:00			`end`

[master] Pipelines section is available to unauthorized users 2019-01-28 07:12:30 -05:00			`condition(:external_pipeline, scope: :subject, score: 0) do`
			`@subject.external?`
			`end`

Add new permission model `read-pipeline-variable` Used to get the variables via the API endpoint `/projects/:id/pipelines/:pipeline_id/variables` Signed-off-by: Agustin Henze <tin@redhat.com> 2019-04-09 10:53:44 -04:00			`condition(:triggerer_of_pipeline) do`
			`@subject.triggered_by?(@user)`
			`end`

[master] Pipelines section is available to unauthorized users 2019-01-28 07:12:30 -05:00			`# Disallow users without permissions from accessing internal pipelines`
			`rule { ~can?(:read_build) & ~external_pipeline }.policy do`
			`prevent :read_pipeline`
			`end`

Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`rule { protected_ref }.prevent :update_pipeline`

Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-22 21:54:57 -04:00			`rule { can?(:public_access) & branch_allows_collaboration }.policy do`
Enable update_(build\|pipeline) for maintainers 2018-05-15 04:18:22 -04:00			`enable :update_pipeline`
			`end`

Authorize DestroyPipelineService against pipeline 2018-11-13 11:17:01 -05:00			`rule { can?(:owner_access) }.policy do`
			`enable :destroy_pipeline`
			`end`

Add new permission model `read-pipeline-variable` Used to get the variables via the API endpoint `/projects/:id/pipelines/:pipeline_id/variables` Signed-off-by: Agustin Henze <tin@redhat.com> 2019-04-09 10:53:44 -04:00			`rule { can?(:admin_pipeline) }.policy do`
			`enable :read_pipeline_variable`
			`end`

			`rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do`
			`enable :read_pipeline_variable`
			`end`

Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`def ref_protected?(user, project, tag, ref)`
			`access = ::Gitlab::UserAccess.new(user, project: project)`

			`if tag`
			`!access.can_create_tag?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00			`else`
Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`!access.can_update_branch?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00			`end`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`end`
Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 06:16:39 -04:00			`end`
			`end`