Skip to content

G
gitlab-ce
Commit b58744cd authored by Tomasz Maczukin's avatar Tomasz Maczukin
Browse files
Options

Modify authentication check methods in runners API

parent 553bac57
Hide whitespace changes
Inline Side-by-side
Showing with 22 additions and 24 deletions
lib/api/runners.rb
View file @ b58744cd
...@@ -31,7 +31,7 @@ module API ...@@ -31,7 +31,7 @@ module API
# GET /runners/:id # GET /runners/:id
get ':id' do get ':id' do
runner = get_runner(params[:id]) runner = get_runner(params[:id])
can_show_runner?(runner) unless current_user.is_admin? authenticate_show_runner!(runner)
present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin? present runner, with: Entities::RunnerDetails, user_is_admin: current_user.is_admin?
end end
...@@ -47,7 +47,7 @@ module API ...@@ -47,7 +47,7 @@ module API
# PUT /runners/:id # PUT /runners/:id
put ':id' do put ':id' do
runner = get_runner(params[:id]) runner = get_runner(params[:id])
can_update_runner?(runner) unless current_user.is_admin? authenticate_update_runner!(runner)
attrs = attributes_for_keys [:description, :active, :tag_list] attrs = attributes_for_keys [:description, :active, :tag_list]
if runner.update(attrs) if runner.update(attrs)
...@@ -65,7 +65,7 @@ module API ...@@ -65,7 +65,7 @@ module API
# DELETE /runners/:id # DELETE /runners/:id
delete ':id' do delete ':id' do
runner = get_runner(params[:id]) runner = get_runner(params[:id])
can_delete_runner?(runner) authenticate_delete_runner!(runner)
runner.destroy! runner.destroy!
present runner, with: Entities::RunnerDetails present runner, with: Entities::RunnerDetails
...@@ -93,7 +93,7 @@ module API ...@@ -93,7 +93,7 @@ module API
# POST /projects/:id/runners/:runner_id # POST /projects/:id/runners/:runner_id
post ':id/runners/:runner_id' do post ':id/runners/:runner_id' do
runner = get_runner(params[:runner_id]) runner = get_runner(params[:runner_id])
can_enable_runner?(runner) authenticate_enable_runner!(runner)
Ci::RunnerProject.create(runner: runner, project: user_project) Ci::RunnerProject.create(runner: runner, project: user_project)
present runner, with: Entities::Runner present runner, with: Entities::Runner
...@@ -111,7 +111,7 @@ module API ...@@ -111,7 +111,7 @@ module API
not_found!('Runner') unless runner_project not_found!('Runner') unless runner_project
runner = runner_project.runner runner = runner_project.runner
forbidden!("Can't disable runner - only one project associated with it. Please remove runner instead") if runner.projects.count == 1 forbidden!("Only one project associated with the runner. Please remove the runner instead") if runner.projects.count == 1
runner_project.destroy runner_project.destroy
...@@ -137,34 +137,32 @@ module API ...@@ -137,34 +137,32 @@ module API
runner runner
end end
def can_show_runner?(runner) def authenticate_show_runner!(runner)
return true if runner.is_shared return if runner.is_shared || current_user.is_admin?
forbidden!("Can't show runner's details - no access granted") unless user_can_access_runner?(runner) forbidden!("No access granted") unless user_can_access_runner?(runner)
end end
def can_update_runner?(runner) def authenticate_update_runner!(runner)
return true if current_user.is_admin? return if current_user.is_admin?
forbidden!("Can't update shared runner") if runner.is_shared? forbidden!("Runner is shared") if runner.is_shared?
forbidden!("Can't update runner - no access granted") unless user_can_access_runner?(runner) forbidden!("No access granted") unless user_can_access_runner?(runner)
end end
def can_delete_runner?(runner) def authenticate_delete_runner!(runner)
return true if current_user.is_admin? return if current_user.is_admin?
forbidden!("Can't delete shared runner") if runner.is_shared? forbidden!("Runner is shared") if runner.is_shared?
forbidden!("Can't delete runner - associated with more than one project") if runner.projects.count > 1 forbidden!("Runner associated with more than one project") if runner.projects.count > 1
forbidden!("Can't delete runner - no access granted") unless user_can_access_runner?(runner) forbidden!("No access granted") unless user_can_access_runner?(runner)
end end
def can_enable_runner?(runner) def authenticate_enable_runner!(runner)
forbidden!("Can't enable shared runner directly") if runner.is_shared? forbidden!("Runner is shared") if runner.is_shared?
return true if current_user.is_admin? return if current_user.is_admin?
forbidden!("Can't update runner - no access granted") unless user_can_access_runner?(runner) forbidden!("No access granted") unless user_can_access_runner?(runner)
end end
def user_can_access_runner?(runner) def user_can_access_runner?(runner)
runner.projects.inject(false) do |final, project| current_user.ci_authorized_runners.exists?(runner.id)
final || abilities.allowed?(current_user, :admin_project, project)
end
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7