GitLab wurde erfolgreich aktualisiert. Dank regelmäßiger Updates bleibt das THM GitLab sicher und Sie profitieren von den neuesten Funktionen. Danke für Ihre Geduld.

Commit aefd8b23 authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch 'fix/gb/use-merge-ability-for-protected-manual-actions' into 'master'

Check only a merge ability for protected actions

Closes #32618

See merge request !11648
parents a8f45c42 6914aeae
......@@ -23,7 +23,7 @@ def protected_action?
!::Gitlab::UserAccess
.new(user, project: build.project)
.can_push_to_branch?(build.ref)
.can_merge_to_branch?(build.ref)
end
end
end
......@@ -8,6 +8,7 @@
= icon('caret-down')
%ul.dropdown-menu.dropdown-menu-align-right
- actions.each do |action|
- next unless can?(current_user, :update_build, action)
%li
= link_to [:play, @project.namespace.becomes(Namespace), @project, action], method: :post, rel: 'nofollow' do
= custom_icon('icon_play')
......
......@@ -13,7 +13,7 @@
= render 'projects/environments/metrics_button', environment: @environment
- if can?(current_user, :update_environment, @environment)
= link_to 'Edit', edit_namespace_project_environment_path(@project.namespace, @project, @environment), class: 'btn'
- if can?(current_user, :create_deployment, @environment) && @environment.can_stop?
- if can?(current_user, :stop_environment, @environment)
= link_to 'Stop', stop_namespace_project_environment_path(@project.namespace, @project, @environment), data: { confirm: 'Are you sure you want to stop this environment?' }, class: 'btn btn-danger', method: :post
.environments-container
......
---
title: Respect merge, instead of push, permissions for protected actions
merge_request: 11648
author:
......@@ -591,7 +591,7 @@ Optional manual actions have `allow_failure: true` set by default.
**Manual actions are considered to be write actions, so permissions for
protected branches are used when user wants to trigger an action. In other
words, in order to trigger a manual action assigned to a branch that the
pipeline is running for, user needs to have ability to push to this branch.**
pipeline is running for, user needs to have ability to merge to this branch.**
### environment
......
......@@ -234,7 +234,11 @@ def post_retry
describe 'POST play' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
sign_in(user)
post_play
......
......@@ -12,6 +12,7 @@
feature 'environment details page' do
given!(:environment) { create(:environment, project: project) }
given!(:permissions) { }
given!(:deployment) { }
given!(:action) { }
......@@ -62,20 +63,31 @@
name: 'deploy to production')
end
given(:role) { :master }
context 'when user has ability to trigger deployment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does show a play button' do
expect(page).to have_link(action.name.humanize)
end
it 'does show a play button' do
expect(page).to have_link(action.name.humanize)
end
it 'does allow to play manual action' do
expect(action).to be_manual
scenario 'does allow to play manual action' do
expect(action).to be_manual
expect { click_link(action.name.humanize) }
.not_to change { Ci::Pipeline.count }
expect { click_link(action.name.humanize) }
.not_to change { Ci::Pipeline.count }
expect(page).to have_content(action.name)
expect(action.reload).to be_pending
end
end
expect(page).to have_content(action.name)
expect(action.reload).to be_pending
context 'when user has no ability to trigger a deployment' do
it 'does not show a play button' do
expect(page).not_to have_link(action.name.humanize)
end
end
context 'with external_url' do
......@@ -134,12 +146,23 @@
on_stop: 'close_app')
end
given(:role) { :master }
context 'when user has ability to stop environment' do
given(:permissions) do
create(:protected_branch, :developers_can_merge,
name: action.ref, project: project)
end
scenario 'does allow to stop environment' do
click_link('Stop')
it 'allows to stop environment' do
click_link('Stop')
expect(page).to have_content('close_app')
expect(page).to have_content('close_app')
end
end
context 'when user has no ability to stop environment' do
it 'does not allow to stop environment' do
expect(page).to have_no_link('Stop')
end
end
context 'for reporter' do
......@@ -150,12 +173,6 @@
end
end
end
context 'without stop action' do
scenario 'does allow to stop environment' do
click_link('Stop')
end
end
end
context 'when environment is stopped' do
......
......@@ -58,9 +58,12 @@
end
end
context 'and user does have deployment permission' do
context 'and user has deployment permission' do
before do
build.project.add_master(user)
build.project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'returns action' do
......
......@@ -7,7 +7,12 @@
let(:regex_match) { described_class.match('deploy staging to production') }
before do
project.add_master(user)
# Make it possible to trigger protected manual actions for developers.
#
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
subject do
......
......@@ -224,7 +224,10 @@
context 'when user has ability to play action' do
before do
build.project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'fabricates status that has action' do
......
......@@ -2,6 +2,7 @@
describe Gitlab::Ci::Status::Build::Play do
let(:user) { create(:user) }
let(:project) { build.project }
let(:build) { create(:ci_build, :manual) }
let(:status) { Gitlab::Ci::Status::Core.new(build, user) }
......@@ -15,8 +16,13 @@
describe '#has_action?' do
context 'when user is allowed to update build' do
context 'when user can push to branch' do
before { build.project.add_master(user) }
context 'when user is allowed to trigger protected action' do
before do
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it { is_expected.to have_action }
end
......
......@@ -227,7 +227,10 @@
context 'when user is allowed to stop environment' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
context 'when action did not yet finish' do
......
......@@ -3,6 +3,7 @@
describe BuildEntity do
let(:user) { create(:user) }
let(:build) { create(:ci_build) }
let(:project) { build.project }
let(:request) { double('request') }
before do
......@@ -52,7 +53,10 @@
context 'when user is allowed to trigger action' do
before do
build.project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
it 'contains path to play action' do
......
......@@ -13,8 +13,11 @@
context 'when project does not have repository yet' do
let(:project) { create(:empty_project) }
it 'allows user with master role to play build' do
project.add_master(user)
it 'allows user to play build if protected branch rules are met' do
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
service.execute(build)
......@@ -45,7 +48,10 @@
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'enqueues the build' do
......@@ -64,7 +70,10 @@
let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) }
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
end
it 'duplicates the build' do
......
......@@ -333,10 +333,11 @@
context 'when pipeline is promoted sequentially up to the end' do
before do
# We are using create(:empty_project), and users has to be master in
# order to execute manual action when repository does not exist.
# Users need ability to merge into a branch in order to trigger
# protected manual actions.
#
project.add_master(user)
create(:protected_branch, :developers_can_merge,
name: 'master', project: project)
end
it 'properly processes entire pipeline' do
......
......@@ -6,9 +6,12 @@
let(:pipeline) { create(:ci_pipeline, project: project) }
let(:service) { described_class.new(project, user) }
context 'when user has ability to modify pipeline' do
context 'when user has full ability to modify pipeline' do
before do
project.add_master(user)
project.add_developer(user)
create(:protected_branch, :developers_can_merge,
name: pipeline.ref, project: project)
end
context 'when there are already retried jobs present' do
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment