Use Ability to check pre-requisite. Change back to 403 because:

If we're using `can?` it would look weird to use 409
2016-06-29 19:04:06 +08:00 · 2016-06-29 19:04:06 +08:00 · 23a3ce946a
parent deb5509f7b
commit 23a3ce946a
2 changed files with 14 additions and 2 deletions
--- a/app/controllers/projects/runner_projects_controller.rb
+++ b/app/controllers/projects/runner_projects_controller.rb
@ -6,8 +6,7 @@ class Projects::RunnerProjectsController < Projects::ApplicationController
  def create
    @runner = Ci::Runner.find(params[:runner_project][:runner_id])

-    return head(409) if @runner.is_shared? || @runner.locked?
-    return head(409) unless current_user.ci_authorized_runners.include?(@runner)
+    return head(403) unless can?(current_user, :assign_runner, @runner)

    path = runners_path(project)
    runner_project = @runner.assign_to(project, current_user)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -19,6 +19,7 @@ class Ability
      when ProjectMember then project_member_abilities(user, subject)
      when User then user_abilities
      when ExternalIssue, Deployment, Environment then project_abilities(user, subject.project)
+      when Ci::Runner then runner_abilities(user, subject)
      else []
      end.concat(global_abilities(user))
    end
@ -512,6 +513,18 @@ class Ability
      rules
    end

+    def runner_abilities(user, runner)
+      if user.is_admin?
+        [:assign_runner]
+      elsif runner.is_shared? || runner.locked?
+        []
+      elsif user.ci_authorized_runners.include?(runner)
+        [:assign_runner]
+      else
+        []
+      end
+    end
+
    def user_abilities
      [:read_user]
    end