gitlab-org--gitlab-foss/app/policies/ci/pipeline_policy.rb

module Ci
  class PipelinePolicy < BasePolicy
    delegate { @subject.project }

    condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }

    condition(:branch_allows_collaboration) do
      @subject.project.branch_allows_collaboration?(@user, @subject.ref)
    end

    rule { protected_ref }.prevent :update_pipeline

    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_pipeline
    end

    def ref_protected?(user, project, tag, ref)
      access = ::Gitlab::UserAccess.new(user, project: project)

      if tag
        !access.can_create_tag?(ref)
      else
        !access.can_update_branch?(ref)
      end
    end
  end
end
Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 06:16:39 -04:00			`module Ci`
Do not inherit build policy in pipeline policy 2017-04-12 06:19:39 -04:00			`class PipelinePolicy < BasePolicy`
Fix bad conflict resolution 2017-07-03 17:20:44 -04:00			`delegate { @subject.project }`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00
Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00
Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-22 21:54:57 -04:00			`condition(:branch_allows_collaboration) do`
			`@subject.project.branch_allows_collaboration?(@user, @subject.ref)`
Enable update_(build\|pipeline) for maintainers 2018-05-15 04:18:22 -04:00			`end`

Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`rule { protected_ref }.prevent :update_pipeline`

Rephrase "maintainer" to more precise "members who can merge to the target branch" "Maintainer" will be freed to be used for #42751 2018-05-22 21:54:57 -04:00			`rule { can?(:public_access) & branch_allows_collaboration }.policy do`
Enable update_(build\|pipeline) for maintainers 2018-05-15 04:18:22 -04:00			`enable :update_pipeline`
			`end`

Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`def ref_protected?(user, project, tag, ref)`
			`access = ::Gitlab::UserAccess.new(user, project: project)`

			`if tag`
			`!access.can_create_tag?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00			`else`
Refactor common protected ref check 2017-12-08 02:49:55 -05:00			`!access.can_update_branch?(ref)`
Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 09:56:28 -04:00			`end`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 17:01:05 -04:00			`end`
Send only to users have :read_build access, feedback: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6342#note_17193335 2016-10-21 06:16:39 -04:00			`end`
			`end`