diff options
Diffstat (limited to 'app/services/clusters/management/validate_management_project_permissions_service.rb')
-rw-r--r-- | app/services/clusters/management/validate_management_project_permissions_service.rb | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/app/services/clusters/management/validate_management_project_permissions_service.rb b/app/services/clusters/management/validate_management_project_permissions_service.rb new file mode 100644 index 00000000000..e89a0afe6d2 --- /dev/null +++ b/app/services/clusters/management/validate_management_project_permissions_service.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +module Clusters + module Management + class ValidateManagementProjectPermissionsService + attr_reader :current_user + + def initialize(user = nil) + @current_user = user + end + + def execute(cluster, management_project_id) + if management_project_id.present? + management_project = management_project_scope(cluster).find_by_id(management_project_id) + + unless management_project && can_admin_pipeline_for_project?(management_project) + cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action')) + + return false + end + end + + true + end + + private + + def can_admin_pipeline_for_project?(project) + Ability.allowed?(current_user, :admin_pipeline, project) + end + + def management_project_scope(cluster) + return ::Project.all if cluster.instance_type? + + group = + if cluster.group_type? + cluster.first_group + elsif cluster.project_type? + cluster.first_project&.namespace + end + + # Prevent users from selecting nested projects until + # https://gitlab.com/gitlab-org/gitlab/issues/34650 is resolved + include_subgroups = cluster.group_type? + + ::GroupProjectsFinder.new( + group: group, + current_user: current_user, + options: { only_owned: true, include_subgroups: include_subgroups } + ).execute + end + end + end +end |