diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-29 19:27:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-29 19:27:48 +0300 |
commit | 14923c259bdf68da693a971744bee4a0bbafe007 (patch) | |
tree | 2a5d417d4cafb1f57b41d27bddc5119fe8838ad6 /app/services/ci | |
parent | 7bfb92974365aa17f3921f03bfb3f938c360efca (diff) |
Add latest changes from gitlab-org/security/gitlab@16-4-stable-ee
Diffstat (limited to 'app/services/ci')
-rw-r--r-- | app/services/ci/pipeline_schedules/base_save_service.rb | 6 | ||||
-rw-r--r-- | app/services/ci/pipeline_schedules/update_service.rb | 6 |
2 files changed, 11 insertions, 1 deletions
diff --git a/app/services/ci/pipeline_schedules/base_save_service.rb b/app/services/ci/pipeline_schedules/base_save_service.rb index 45d70e5a65d..e6f633498e9 100644 --- a/app/services/ci/pipeline_schedules/base_save_service.rb +++ b/app/services/ci/pipeline_schedules/base_save_service.rb @@ -23,7 +23,11 @@ module Ci attr_reader :project, :user, :params, :schedule def allowed_to_save? - user.can?(self.class::AUTHORIZE, schedule) + # Disable cache because the same ability may already have been checked + # for the same records with different attributes. For example, we do not + # want an unauthorized user to change an unprotected ref to a protected + # ref. + user.can?(self.class::AUTHORIZE, schedule, cache: false) end def forbidden_to_save diff --git a/app/services/ci/pipeline_schedules/update_service.rb b/app/services/ci/pipeline_schedules/update_service.rb index 2fd1173ecce..76b2121c4e1 100644 --- a/app/services/ci/pipeline_schedules/update_service.rb +++ b/app/services/ci/pipeline_schedules/update_service.rb @@ -12,6 +12,12 @@ module Ci @params = params end + def execute + return forbidden_to_save unless allowed_to_save? + + super + end + private def authorize_message |