Don't check permission, only protected ref if no user
This commit is contained in:
parent
3c71c12b74
commit
47b93fd761
2 changed files with 64 additions and 3 deletions
|
@ -27,7 +27,7 @@ module Ci
|
|||
return error('Reference not found')
|
||||
end
|
||||
|
||||
unless Ci::Pipeline.allowed_to_create?(current_user, project, ref)
|
||||
unless triggering_user_allowed_for_ref?(trigger_request, ref)
|
||||
return error("Insufficient permissions for protected #{ref}")
|
||||
end
|
||||
|
||||
|
@ -56,6 +56,14 @@ module Ci
|
|||
|
||||
private
|
||||
|
||||
def triggering_user_allowed_for_ref?(trigger_request, ref)
|
||||
triggering_user = current_user || trigger_request.trigger.owner
|
||||
|
||||
(triggering_user &&
|
||||
Ci::Pipeline.allowed_to_create?(triggering_user, project, ref)) ||
|
||||
!project.protected_for?(ref)
|
||||
end
|
||||
|
||||
def process!
|
||||
Ci::Pipeline.transaction do
|
||||
update_merge_requests_head_pipeline if pipeline.save
|
||||
|
|
|
@ -10,13 +10,19 @@ describe Ci::CreatePipelineService, services: true do
|
|||
end
|
||||
|
||||
describe '#execute' do
|
||||
def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: ref_name)
|
||||
def execute_service(
|
||||
source: :push,
|
||||
after: project.commit.id,
|
||||
message: 'Message',
|
||||
ref: ref_name,
|
||||
trigger_request: nil)
|
||||
params = { ref: ref,
|
||||
before: '00000000',
|
||||
after: after,
|
||||
commits: [{ message: message }] }
|
||||
|
||||
described_class.new(project, user, params).execute(source)
|
||||
described_class.new(project, user, params).execute(
|
||||
source, trigger_request: trigger_request)
|
||||
end
|
||||
|
||||
context 'valid params' do
|
||||
|
@ -337,6 +343,53 @@ describe Ci::CreatePipelineService, services: true do
|
|||
expect(Ci::Pipeline.count).to eq(1)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when trigger belongs to no one' do
|
||||
let(:user) {}
|
||||
let(:trigger_request) { create(:ci_trigger_request) }
|
||||
|
||||
it 'does not create a pipeline' do
|
||||
expect(execute_service(trigger_request: trigger_request))
|
||||
.not_to be_persisted
|
||||
expect(Ci::Pipeline.count).to eq(0)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when trigger belongs to a developer' do
|
||||
let(:user) {}
|
||||
|
||||
let(:trigger_request) do
|
||||
create(:ci_trigger_request).tap do |request|
|
||||
user = create(:user)
|
||||
project.add_developer(user)
|
||||
request.trigger.update(owner: user)
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not create a pipeline' do
|
||||
expect(execute_service(trigger_request: trigger_request))
|
||||
.not_to be_persisted
|
||||
expect(Ci::Pipeline.count).to eq(0)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when trigger belongs to a master' do
|
||||
let(:user) {}
|
||||
|
||||
let(:trigger_request) do
|
||||
create(:ci_trigger_request).tap do |request|
|
||||
user = create(:user)
|
||||
project.add_master(user)
|
||||
request.trigger.update(owner: user)
|
||||
end
|
||||
end
|
||||
|
||||
it 'does not create a pipeline' do
|
||||
expect(execute_service(trigger_request: trigger_request))
|
||||
.to be_persisted
|
||||
expect(Ci::Pipeline.count).to eq(1)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when ref is a protected branch' do
|
||||
|
|
Loading…
Reference in a new issue