1 files changed, 10 insertions, 6 deletions

diff --git a/app/controllers/groups/runners_controller.rb b/app/controllers/groups/runners_controller.rb
index 652f12e34ba..18b055b3f05 100644
--- a/app/controllers/groups/runners_controller.rb
+++ b/app/controllers/groups/runners_controller.rb
@@ -2,13 +2,9 @@
 
 class Groups::RunnersController < Groups::ApplicationController
   before_action :authorize_read_group_runners!, only: [:index, :show]
-  before_action :authorize_admin_group_runners!, only: [:edit, :update, :destroy, :pause, :resume]
+  before_action :authorize_update_runner!, only: [:edit, :update, :destroy, :pause, :resume]
   before_action :runner, only: [:edit, :update, :destroy, :pause, :resume, :show]
 
-  before_action only: [:show] do
-    push_frontend_feature_flag(:enforce_runner_token_expires_at)
-  end
-
   feature_category :runner
   urgency :low
 
@@ -37,7 +33,9 @@ class Groups::RunnersController < Groups::ApplicationController
   private
 
   def runner
-    @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: { group: @group }).execute
+    group_params = { group: @group, membership: :all_available }
+
+    @runner ||= Ci::RunnersFinder.new(current_user: current_user, params: group_params).execute
       .except(:limit, :offset)
       .find(params[:id])
   end
@@ -45,6 +43,12 @@ class Groups::RunnersController < Groups::ApplicationController
   def runner_params
     params.require(:runner).permit(Ci::Runner::FORM_EDITABLE)
   end
+
+  def authorize_update_runner!
+    return if can?(current_user, :admin_group_runners, group) && can?(current_user, :update_runner, runner)
+
+    render_404
+  end
 end
 
 Groups::RunnersController.prepend_mod