1 files changed, 54 insertions, 0 deletions

diff --git a/app/services/ci/pipeline_schedules/base_save_service.rb b/app/services/ci/pipeline_schedules/base_save_service.rb
new file mode 100644
index 00000000000..45d70e5a65d
--- /dev/null
+++ b/app/services/ci/pipeline_schedules/base_save_service.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Ci
+  module PipelineSchedules
+    class BaseSaveService
+      include Gitlab::Utils::StrongMemoize
+
+      def execute
+        schedule.assign_attributes(params)
+
+        return forbidden_to_save unless allowed_to_save?
+        return forbidden_to_save_variables unless allowed_to_save_variables?
+
+        if schedule.save
+          ServiceResponse.success(payload: schedule)
+        else
+          ServiceResponse.error(payload: schedule, message: schedule.errors.full_messages)
+        end
+      end
+
+      private
+
+      attr_reader :project, :user, :params, :schedule
+
+      def allowed_to_save?
+        user.can?(self.class::AUTHORIZE, schedule)
+      end
+
+      def forbidden_to_save
+        # We add the error to the base object too
+        # because model errors are used in the API responses and the `form_errors` helper.
+        schedule.errors.add(:base, authorize_message)
+
+        ServiceResponse.error(payload: schedule, message: [authorize_message], reason: :forbidden)
+      end
+
+      def allowed_to_save_variables?
+        return true if params[:variables_attributes].blank?
+
+        user.can?(:set_pipeline_variables, project)
+      end
+
+      def forbidden_to_save_variables
+        message = _('The current user is not authorized to set pipeline schedule variables')
+
+        # We add the error to the base object too
+        # because model errors are used in the API responses and the `form_errors` helper.
+        schedule.errors.add(:base, message)
+
+        ServiceResponse.error(payload: schedule, message: [message], reason: :forbidden)
+      end
+    end
+  end
+end