From 7426e616e859671622cea96755cb5b1e09fd9abe Mon Sep 17 00:00:00 2001 From: Lin Jen-Shin Date: Tue, 18 Jul 2017 16:31:29 +0800 Subject: [PATCH] Make sure it checks against the tag only when it's a tag --- app/policies/ci/build_policy.rb | 5 ++++- spec/policies/ci/build_policy_spec.rb | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 71ecb5bca8d..386822d3ff6 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -5,8 +5,11 @@ module Ci access = ::Gitlab::UserAccess.new(@user, project: @subject.project) - !access.can_merge_to_branch?(@subject.ref) || + if @subject.tag? !access.can_create_tag?(@subject.ref) + else + !access.can_merge_to_branch?(@subject.ref) + end end rule { protected_action }.prevent :update_build diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index aa62e675d37..9f3212b1a63 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -138,11 +138,30 @@ describe Ci::BuildPolicy, :models do before do create(:protected_tag, :no_one_can_create, name: 'some-ref', project: project) + + build.update(tag: true) end it_behaves_like 'protected ref' end + context 'when build is against a protected tag but it is not a tag' do + before do + create(:protected_tag, :no_one_can_create, + name: 'some-ref', project: project) + end + + context 'when build is a manual action' do + let(:build) do + create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline) + end + + it 'includes ability to update build' do + expect(policy).to be_allowed :update_build + end + end + end + context 'when branch build is assigned to is not protected' do context 'when build is a manual action' do let(:build) { create(:ci_build, :manual, pipeline: pipeline) } -- GitLab