blob: 1d60b1e79def8b2a36b7dcdadd1c38dbab87d4c6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# frozen_string_literal: true
module Ci
class PipelinePolicy < BasePolicy
delegate { @subject.project }
condition(:protected_ref) { ref_protected?(@user, @subject.project, @subject.tag?, @subject.ref) }
condition(:branch_allows_collaboration) do
@subject.project.branch_allows_collaboration?(@user, @subject.ref)
end
condition(:external_pipeline, scope: :subject, score: 0) do
@subject.external?
end
condition(:triggerer_of_pipeline) do
@subject.triggered_by?(@user)
end
condition(:project_allows_read_dependency) do
can?(:read_dependency, @subject.project)
end
# Disallow users without permissions from accessing internal pipelines
rule { ~can?(:read_build) & ~external_pipeline }.policy do
prevent :read_pipeline
end
rule { protected_ref }.prevent :update_pipeline
rule { can?(:public_access) & branch_allows_collaboration }.policy do
enable :update_pipeline
end
rule { can?(:owner_access) }.policy do
enable :destroy_pipeline
end
rule { can?(:admin_pipeline) }.policy do
enable :read_pipeline_variable
end
rule { can?(:update_pipeline) & triggerer_of_pipeline }.policy do
enable :read_pipeline_variable
end
rule { project_allows_read_dependency }.policy do
enable :read_dependency
end
def ref_protected?(user, project, tag, ref)
access = ::Gitlab::UserAccess.new(user, container: project)
if tag
!access.can_create_tag?(ref)
else
!access.can_update_branch?(ref)
end
end
end
end
|