Add new permission model `read-pipeline-variable`

Used to get the variables via the API endpoint `/projects/:id/pipelines/:pipeline_id/variables` Signed-off-by: Agustin Henze <tin@redhat.com>
author: Agustin Henze <tin@redhat.com> 2019-04-09 17:53:44 +0300
committer: Kamil Trzciński <ayufan@ayufan.eu> 2019-04-09 17:53:44 +0300
commit: 20093f9de0b34da88a8b01ca94ee773685b16308 (patch)
tree: 6418fff41e2f5deeb5f3839d90472b28c18cf942 /app/policies/ci
parent: 67c330841271537eddad6fc938aa638d68f48a11 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 2c90b8a73cd..662c29a0973 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -14,6 +14,10 @@ module Ci
       @subject.external?
     end
 
+    condition(:triggerer_of_pipeline) do
+      @subject.triggered_by?(@user)
+    end
+
     # Disallow users without permissions from accessing internal pipelines
     rule { ~can?(:read_build) & ~external_pipeline }.policy do
       prevent :read_pipeline
@@ -29,6 +33,14 @@ module Ci
       enable :destroy_pipeline
     end
 
+    rule { can?(:admin_pipeline) }.policy do
+      enable :read_pipeline_variable
+    end
+
+    rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do
+      enable :read_pipeline_variable
+    end
+
     def ref_protected?(user, project, tag, ref)
       access = ::Gitlab::UserAccess.new(user, project: project)
author	Agustin Henze <tin@redhat.com>	2019-04-09 17:53:44 +0300
committer	Kamil Trzciński <ayufan@ayufan.eu>	2019-04-09 17:53:44 +0300
commit	20093f9de0b34da88a8b01ca94ee773685b16308 (patch)
tree	6418fff41e2f5deeb5f3839d90472b28c18cf942 /app/policies/ci
parent	67c330841271537eddad6fc938aa638d68f48a11 (diff)