[master] Pipelines section is available to unauthorized users

author: Kamil Trzciński <kamil@gitlab.com> 2019-01-28 15:12:30 +0300
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-01-31 18:52:50 +0300
commit: d4c7214799586a9b5063b0ea5b4327bbffe1170f (patch)
tree: 5e39656039d6f73e19b4cbc3575dba65d44aee4d /app/policies/ci
parent: 4b868ba8e71be9aa5591378555122d76c27ac777 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index e42d78f47c5..2c90b8a73cd 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -10,6 +10,15 @@ module Ci
       @subject.project.branch_allows_collaboration?(@user, @subject.ref)
     end
 
+    condition(:external_pipeline, scope: :subject, score: 0) do
+      @subject.external?
+    end
+
+    # Disallow users without permissions from accessing internal pipelines
+    rule { ~can?(:read_build) & ~external_pipeline }.policy do
+      prevent :read_pipeline
+    end
+
     rule { protected_ref }.prevent :update_pipeline
 
     rule { can?(:public_access) & branch_allows_collaboration }.policy do
author	Kamil Trzciński <kamil@gitlab.com>	2019-01-28 15:12:30 +0300
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-01-31 18:52:50 +0300
commit	d4c7214799586a9b5063b0ea5b4327bbffe1170f (patch)
tree	5e39656039d6f73e19b4cbc3575dba65d44aee4d /app/policies/ci
parent	4b868ba8e71be9aa5591378555122d76c27ac777 (diff)