Forbid creating pipeline if it's protected and

cannot create the tag if it's a tag, and cannot merge the branch if it's a branch.
2017-06-05 23:38:06 +08:00 · 2017-06-05 23:38:06 +08:00 · 9ecb85a4f3
commit 9ecb85a4f3
parent 07e7ce31e3
2 changed files with 56 additions and 1 deletions
--- a/app/services/ci/create_pipeline_service.rb
+++ b/app/services/ci/create_pipeline_service.rb
@ -27,6 +27,12 @@ module Ci
        return error('Reference not found')
      end

+      if tag?
+        return error("#{ref} is protected") unless access.can_create_tag?(ref)
+      else
+        return error("#{ref} is protected") unless access.can_merge_to_branch?(ref)
+      end
+
      unless commit
        return error('Commit not found')
      end
@ -94,6 +100,10 @@ module Ci
      @commit ||= project.commit(origin_sha || origin_ref)
    end

+    def access
+      @access ||= Gitlab::UserAccess.new(current_user, project: project)
+    end
+
    def sha
      commit.try(:id)
    end
--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@ -3,13 +3,14 @@ require 'spec_helper'
 describe Ci::CreatePipelineService, services: true do
  let(:project) { create(:project, :repository) }
  let(:user) { create(:admin) }
+  let(:ref_name) { 'refs/heads/master' }

  before do
    stub_ci_pipeline_to_return_yaml_file
  end

  describe '#execute' do
-    def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: 'refs/heads/master')
+    def execute_service(source: :push, after: project.commit.id, message: 'Message', ref: ref_name)
      params = { ref: ref,
                 before: '00000000',
                 after: after,
@ -311,5 +312,49 @@ describe Ci::CreatePipelineService, services: true do
        end.not_to change { Environment.count }
      end
    end
+
+    shared_examples 'when ref is protected' do
+      let(:user) { create(:user) }
+
+      context 'when user is developer' do
+        before do
+          project.add_developer(user)
+        end
+
+        it 'does not create a pipeline' do
+          expect(execute_service).not_to be_persisted
+          expect(Ci::Pipeline.count).to eq(0)
+        end
+      end
+
+      context 'when user is master' do
+        before do
+          project.add_master(user)
+        end
+
+        it 'creates a pipeline' do
+          expect(execute_service).to be_persisted
+          expect(Ci::Pipeline.count).to eq(1)
+        end
+      end
+    end
+
+    context 'when ref is a protected branch' do
+      before do
+        create(:protected_branch, project: project, name: 'master')
+      end
+
+      it_behaves_like 'when ref is protected'
+    end
+
+    context 'when ref is a protected tag' do
+      let(:ref_name) { 'refs/tags/v1.0.0' }
+
+      before do
+        create(:protected_tag, project: project, name: '*')
+      end
+
+      it_behaves_like 'when ref is protected'
+    end
  end
 end