Commit 6b01821b authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch 'fix/sm/31771-do-not-allow-jobs-to-be-erased-new' into 'master'

Do not allow jobs to be erased

Closes #31771

See merge request gitlab-org/gitlab-ce!15216
parents 6b9b5160 8029c92e
......@@ -4,7 +4,8 @@ class Projects::JobsController < Projects::ApplicationController
before_action :authorize_read_build!,
only: [:index, :show, :status, :raw, :trace]
before_action :authorize_update_build!,
except: [:index, :show, :status, :raw, :trace, :cancel_all]
except: [:index, :show, :status, :raw, :trace, :cancel_all, :erase]
before_action :authorize_erase_build!, only: [:erase]
layout 'project'
......@@ -131,6 +132,10 @@ class Projects::JobsController < Projects::ApplicationController
return access_denied! unless can?(current_user, :update_build, build)
end
def authorize_erase_build!
return access_denied! unless can?(current_user, :erase_build, build)
end
def build
@build ||= project.builds.find(params[:id])
.present(current_user: current_user)
......
......@@ -192,6 +192,10 @@ module Ci
project.build_timeout
end
def triggered_by?(current_user)
user == current_user
end
# A slugified version of the build ref, suitable for inclusion in URLs and
# domain names. Rules:
#
......
......@@ -10,6 +10,15 @@ module Ci
end
end
rule { protected_ref }.prevent :update_build
condition(:owner_of_job) do
can?(:developer_access) && @subject.triggered_by?(@user)
end
rule { protected_ref }.policy do
prevent :update_build
prevent :erase_build
end
rule { can?(:master_access) | owner_of_job }.enable :erase_build
end
end
......@@ -6,7 +6,7 @@ class BuildDetailsEntity < JobEntity
expose :pipeline, using: PipelineEntity
expose :erased_by, if: -> (*) { build.erased? }, using: UserEntity
expose :erase_path, if: -> (*) { build.erasable? && can?(current_user, :update_build, project) } do |build|
expose :erase_path, if: -> (*) { build.erasable? && can?(current_user, :erase_build, build) } do |build|
erase_project_job_path(project, build)
end
......
......@@ -71,7 +71,7 @@
class: 'js-raw-link-controller has-tooltip controllers-buttons' do
= icon('file-text-o')
- if can?(current_user, :update_build, @project) && @build.erasable?
- if @build.erasable? && can?(current_user, :erase_build, @build)
= link_to erase_project_job_path(@project, @build),
method: :post,
data: { confirm: 'Are you sure you want to erase this build?', placement: 'top', container: 'body' },
......
---
title: Only owner or master can erase jobs
merge_request: 15216
author:
type: changed
......@@ -197,6 +197,7 @@ instance and project. In addition, all admins can use the admin interface under
|---------------------------------------|-----------------|-------------|----------|--------|
| See commits and jobs | ✓ | ✓ | ✓ | ✓ |
| Retry or cancel job | | ✓ | ✓ | ✓ |
| Erase job artifacts and trace | | ✓ [^7] | ✓ | ✓ |
| Remove project | | | ✓ | ✓ |
| Create project | | | ✓ | ✓ |
| Change project configuration | | | ✓ | ✓ |
......@@ -261,5 +262,6 @@ only.
[^4]: Not allowed for Guest, Reporter, Developer, Master, or Owner
[^5]: Only if user is not external one.
[^6]: Only if user is a member of the project.
[^7]: Only if the build was triggered by the user
[ce-18994]: https://gitlab.com/gitlab-org/gitlab-ce/issues/18994
[new-mod]: project/new_ci_build_permissions_model.md
......@@ -136,7 +136,7 @@ module API
authorize_update_builds!
build = find_build!(params[:job_id])
authorize!(:update_build, build)
authorize!(:erase_build, build)
return forbidden!('Job is not erasable!') unless build.erasable?
build.erase(erased_by: current_user)
......
......@@ -169,7 +169,7 @@ module API
authorize_update_builds!
build = get_build!(params[:build_id])
authorize!(:update_build, build)
authorize!(:erase_build, build)
return forbidden!('Build is not erasable!') unless build.erasable?
build.erase(erased_by: current_user)
......
......@@ -371,8 +371,10 @@ describe Projects::JobsController do
end
describe 'POST erase' do
let(:role) { :master }
before do
project.add_developer(user)
project.team << [user, role]
sign_in(user)
post_erase
......@@ -404,6 +406,27 @@ describe Projects::JobsController do
end
end
context 'when user is developer' do
let(:role) { :developer }
let(:job) { create(:ci_build, :erasable, :trace, pipeline: pipeline, user: triggered_by) }
context 'when triggered by same user' do
let(:triggered_by) { user }
it 'has successful status' do
expect(response).to have_gitlab_http_status(:found)
end
end
context 'when triggered by different user' do
let(:triggered_by) { create(:user) }
it 'does not have successful status' do
expect(response).not_to have_gitlab_http_status(:found)
end
end
end
def post_erase
post :erase, namespace_id: project.namespace,
project_id: project,
......
......@@ -270,6 +270,23 @@ describe Ci::Build do
end
end
describe '#triggered_by?' do
subject { build.triggered_by?(user) }
context 'when user is owner' do
let(:build) { create(:ci_build, pipeline: pipeline, user: user) }
it { is_expected.to be_truthy }
end
context 'when user is not owner' do
let(:another_user) { create(:user) }
let(:build) { create(:ci_build, pipeline: pipeline, user: another_user) }
it { is_expected.to be_falsy }
end
end
describe '#detailed_status' do
it 'returns a detailed status' do
expect(build.detailed_status(user))
......
......@@ -150,5 +150,82 @@ describe Ci::BuildPolicy do
end
end
end
describe 'rules for erase build' do
let(:project) { create(:project, :repository) }
let(:build) { create(:ci_build, pipeline: pipeline, ref: 'some-ref', user: owner) }
context 'when a developer erases a build' do
before do
project.add_developer(user)
end
context 'when developers can push to the branch' do
before do
create(:protected_branch, :developers_can_push,
name: build.ref, project: project)
end
context 'when the build was created by the developer' do
let(:owner) { user }
it { expect(policy).to be_allowed :erase_build }
end
context 'when the build was created by the other' do
let(:owner) { create(:user) }
it { expect(policy).to be_disallowed :erase_build }
end
end
context 'when no one can push or merge to the branch' do
let(:owner) { user }
before do
create(:protected_branch, :no_one_can_push, :no_one_can_merge,
name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
end
end
context 'when a master erases a build' do
before do
project.add_master(user)
end
context 'when masters can push to the branch' do
before do
create(:protected_branch, :masters_can_push,
name: build.ref, project: project)
end
context 'when the build was created by the master' do
let(:owner) { user }
it { expect(policy).to be_allowed :erase_build }
end
context 'when the build was created by the other' do
let(:owner) { create(:user) }
it { expect(policy).to be_allowed :erase_build }
end
end
context 'when no one can push or merge to the branch' do
let(:owner) { user }
before do
create(:protected_branch, :no_one_can_push, :no_one_can_merge,
name: build.ref, project: project)
end
it { expect(policy).to be_disallowed :erase_build }
end
end
end
end
end
......@@ -500,7 +500,11 @@ describe API::Jobs do
end
describe 'POST /projects/:id/jobs/:job_id/erase' do
let(:role) { :master }
before do
project.team << [user, role]
post api("/projects/#{project.id}/jobs/#{job.id}/erase", user)
end
......@@ -529,6 +533,23 @@ describe API::Jobs do
expect(response).to have_gitlab_http_status(403)
end
end
context 'when a developer erases a build' do
let(:role) { :developer }
let(:job) { create(:ci_build, :trace, :artifacts, :success, project: project, pipeline: pipeline, user: owner) }
context 'when the build was created by the developer' do
let(:owner) { user }
it { expect(response).to have_gitlab_http_status(201) }
end
context 'when the build was created by the other' do
let(:owner) { create(:user) }
it { expect(response).to have_gitlab_http_status(403) }
end
end
end
describe 'POST /projects/:id/jobs/:job_id/artifacts/keep' do
......
......@@ -408,6 +408,8 @@ describe API::V3::Builds do
describe 'POST /projects/:id/builds/:build_id/erase' do
before do
project.add_master(user)
post v3_api("/projects/#{project.id}/builds/#{build.id}/erase", user)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment