diff options
| -rw-r--r-- | app/policies/ci/runner_policy.rb | 8 | ||||
| -rw-r--r-- | lib/api/runners.rb | 14 |
2 files changed, 9 insertions, 13 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 7dff8470e23..2908989b154 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -1,16 +1,16 @@ module Ci class RunnerPolicy < BasePolicy with_options scope: :subject, score: 0 - condition(:shared) { @subject.is_shared? } - - with_options scope: :subject, score: 0 condition(:locked, scope: :subject) { @subject.locked? } condition(:authorized_runner) { @user.ci_authorized_runners.include?(@subject) } rule { anonymous }.prevent_all rule { admin | authorized_runner }.enable :assign_runner - rule { ~admin & shared }.prevent :assign_runner + rule { admin | authorized_runner }.enable :read_runner + rule { admin | authorized_runner }.enable :update_runner + rule { admin | authorized_runner }.enable :delete_runner + rule { admin | authorized_runner }.enable :list_runner_jobs rule { ~admin & locked }.prevent :assign_runner end end diff --git a/lib/api/runners.rb b/lib/api/runners.rb index 1b528a8490c..db9cff80cf9 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -184,14 +184,14 @@ module API def authenticate_show_runner!(runner) return if runner.is_shared || current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :read_runner, runner) end def authenticate_update_runner!(runner) return if current_user.admin? forbidden!("Runner is shared") if runner.is_shared? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :update_runner, runner) end def authenticate_delete_runner!(runner) @@ -199,7 +199,7 @@ module API forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner associated with more than one project") if runner.projects.count > 1 - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :delete_runner, runner) end def authenticate_enable_runner!(runner) @@ -208,17 +208,13 @@ module API forbidden!("Runner is a group runner") if runner.group_type? return if current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) + forbidden!("No access granted") unless can?(current_user, :assign_runner, runner) end def authenticate_list_runners_jobs!(runner) return if current_user.admin? - forbidden!("No access granted") unless user_can_access_runner?(runner) - end - - def user_can_access_runner?(runner) - current_user.ci_authorized_runners.exists?(runner.id) + forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner) end end end |