From 9984f07a28273035d6c989913cb76c9c371965d0 Mon Sep 17 00:00:00 2001
From: Lin Jen-Shin <godfat@godfat.org>
Date: Tue, 6 Jun 2017 18:00:34 +0800
Subject: [PATCH] Disallow legacy trigger without a owner

Feedback:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11910#note_31594492
https://gitlab.com/gitlab-org/gitlab-ce/issues/30634#note_31601001
---
 app/services/ci/create_pipeline_service.rb       |  8 +++++---
 spec/services/ci/create_pipeline_service_spec.rb | 13 +++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb
index 7efea564ba6..a51c52b3f91 100644
--- a/app/services/ci/create_pipeline_service.rb
+++ b/app/services/ci/create_pipeline_service.rb
@@ -23,6 +23,10 @@ module Ci
         return error('Insufficient permissions to create a new pipeline')
       end
 
+      unless trigger_request && trigger_request.trigger.owner
+        return error('Legacy trigger without a owner is not allowed')
+      end
+
       unless branch? || tag?
         return error('Reference not found')
       end
@@ -59,9 +63,7 @@ module Ci
     def triggering_user_allowed_for_ref?(trigger_request, ref)
       triggering_user = current_user || trigger_request.trigger.owner
 
-      (triggering_user &&
-        Ci::Pipeline.allowed_to_create?(triggering_user, project, ref)) ||
-        !project.protected_for?(ref)
+      Ci::Pipeline.allowed_to_create?(triggering_user, project, ref)
     end
 
     def process!
diff --git a/spec/services/ci/create_pipeline_service_spec.rb b/spec/services/ci/create_pipeline_service_spec.rb
index 2616dcc6f04..b8534a9d1aa 100644
--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -409,5 +409,18 @@ describe Ci::CreatePipelineService, services: true do
 
       it_behaves_like 'when ref is protected'
     end
+
+    context 'when ref is not protected' do
+      context 'when trigger belongs to no one' do
+        let(:user) {}
+        let(:trigger_request) { create(:ci_trigger_request) }
+
+        it 'does not create a pipeline' do
+          expect(execute_service(trigger_request: trigger_request))
+            .not_to be_persisted
+          expect(Ci::Pipeline.count).to eq(0)
+        end
+      end
+    end
   end
 end
-- 
GitLab