Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 13:05:41 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 13:05:41 +0300
commit: e12f099f39ef8fb81f9b91612f8b35aefba7347c (patch)
tree: 03f55fd572a093bd4d278a7baf683ea40451e07f /lib/api
parent: 01a6adb2b453b852a9348365c4e867d6a36ddeb1 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/api/lint.rb b/lib/api/lint.rb
index f1e19e9c3c5..3655cb56564 100644
--- a/lib/api/lint.rb
+++ b/lib/api/lint.rb
@@ -4,6 +4,16 @@ module API
   class Lint < ::API::Base
     feature_category :pipeline_authoring
 
+    helpers do
+      def can_lint_ci?
+        signup_unrestricted = Gitlab::CurrentSettings.signup_enabled? && !Gitlab::CurrentSettings.signup_limited?
+        internal_user = current_user.present? && !current_user.external?
+        is_developer = current_user.present? && current_user.projects.any? { |p| p.team.member?(current_user, Gitlab::Access::DEVELOPER) }
+
+        signup_unrestricted || internal_user || is_developer
+      end
+    end
+
     namespace :ci do
       desc 'Validation of .gitlab-ci.yml content'
       params do
@@ -12,7 +22,7 @@ module API
         optional :include_jobs, type: Boolean, desc: 'Whether or not to include CI jobs in the response'
       end
       post '/lint' do
-        unauthorized! if (Gitlab::CurrentSettings.signup_disabled? || Gitlab::CurrentSettings.signup_limited?) && current_user.nil?
+        unauthorized! unless can_lint_ci?
 
         result = Gitlab::Ci::Lint.new(project: nil, current_user: current_user)
           .validate(params[:content], dry_run: false)
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 13:05:41 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 13:05:41 +0300
commit	e12f099f39ef8fb81f9b91612f8b35aefba7347c (patch)
tree	03f55fd572a093bd4d278a7baf683ea40451e07f /lib/api
parent	01a6adb2b453b852a9348365c4e867d6a36ddeb1 (diff)