Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
3d8c4f48
Commit
3d8c4f48
authored
Feb 22, 2022
by
Pedro Pombeiro
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow admin to register project runners at all times
Changelog: fixed
parent
0175304d
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
111 additions
and
2 deletions
+111
-2
app/policies/project_policy.rb
app/policies/project_policy.rb
+11
-0
app/views/projects/runners/_specific_runners.html.haml
app/views/projects/runners/_specific_runners.html.haml
+1
-1
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+96
-0
spec/views/projects/runners/_specific_runners.html.haml_spec.rb
...iews/projects/runners/_specific_runners.html.haml_spec.rb
+3
-1
No files found.
app/policies/project_policy.rb
View file @
3d8c4f48
...
@@ -194,6 +194,10 @@ class ProjectPolicy < BasePolicy
...
@@ -194,6 +194,10 @@ class ProjectPolicy < BasePolicy
condition
(
:"
#{
f
}
_disabled"
,
score:
32
)
{
!
access_allowed_to?
(
f
.
to_sym
)
}
condition
(
:"
#{
f
}
_disabled"
,
score:
32
)
{
!
access_allowed_to?
(
f
.
to_sym
)
}
end
end
condition
(
:project_runner_registration_allowed
)
do
Feature
.
disabled?
(
:runner_registration_control
)
||
Gitlab
::
CurrentSettings
.
valid_runner_registrars
.
include?
(
'project'
)
end
# `:read_project` may be prevented in EE, but `:read_project_for_iids` should
# `:read_project` may be prevented in EE, but `:read_project_for_iids` should
# not.
# not.
rule
{
guest
|
admin
}.
enable
:read_project_for_iids
rule
{
guest
|
admin
}.
enable
:read_project_for_iids
...
@@ -230,6 +234,8 @@ class ProjectPolicy < BasePolicy
...
@@ -230,6 +234,8 @@ class ProjectPolicy < BasePolicy
enable
:set_emails_disabled
enable
:set_emails_disabled
enable
:set_show_default_award_emojis
enable
:set_show_default_award_emojis
enable
:set_warn_about_potentially_unwanted_characters
enable
:set_warn_about_potentially_unwanted_characters
enable
:register_project_runners
end
end
rule
{
can?
(
:guest_access
)
}.
policy
do
rule
{
can?
(
:guest_access
)
}.
policy
do
...
@@ -455,6 +461,7 @@ class ProjectPolicy < BasePolicy
...
@@ -455,6 +461,7 @@ class ProjectPolicy < BasePolicy
enable
:update_freeze_period
enable
:update_freeze_period
enable
:destroy_freeze_period
enable
:destroy_freeze_period
enable
:admin_feature_flags_client
enable
:admin_feature_flags_client
enable
:register_project_runners
enable
:update_runners_registration_token
enable
:update_runners_registration_token
enable
:admin_project_google_cloud
enable
:admin_project_google_cloud
end
end
...
@@ -729,6 +736,10 @@ class ProjectPolicy < BasePolicy
...
@@ -729,6 +736,10 @@ class ProjectPolicy < BasePolicy
enable
:access_security_and_compliance
enable
:access_security_and_compliance
end
end
rule
{
~
admin
&
~
project_runner_registration_allowed
}.
policy
do
prevent
:register_project_runners
end
private
private
def
user_is_user?
def
user_is_user?
...
...
app/views/projects/runners/_specific_runners.html.haml
View file @
3d8c4f48
...
@@ -2,7 +2,7 @@
...
@@ -2,7 +2,7 @@
=
_
(
'Specific runners'
)
=
_
(
'Specific runners'
)
.bs-callout.help-callout
.bs-callout.help-callout
-
if
valid_runner_registrars
.
include?
(
'project'
)
-
if
can?
(
current_user
,
:register_project_runners
,
@project
)
=
_
(
'These runners are specific to this project.'
)
=
_
(
'These runners are specific to this project.'
)
-
if
params
[
:ci_runner_templates
]
-
if
params
[
:ci_runner_templates
]
%hr
%hr
...
...
spec/policies/project_policy_spec.rb
View file @
3d8c4f48
...
@@ -1755,4 +1755,100 @@ RSpec.describe ProjectPolicy do
...
@@ -1755,4 +1755,100 @@ RSpec.describe ProjectPolicy do
end
end
end
end
end
end
describe
'register_project_runners'
do
context
'admin'
do
let
(
:current_user
)
{
admin
}
context
'when admin mode is enabled'
,
:enable_admin_mode
do
context
'with runner_registration_control FF disabled'
do
before
do
stub_feature_flags
(
runner_registration_control:
false
)
end
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
end
context
'with runner_registration_control FF enabled'
do
before
do
stub_feature_flags
(
runner_registration_control:
true
)
end
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
context
'with project runner registration disabled'
do
before
do
stub_application_setting
(
valid_runner_registrars:
[
'group'
])
end
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
end
end
end
context
'when admin mode is disabled'
do
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
end
context
'with owner'
do
let
(
:current_user
)
{
owner
}
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
context
'with runner_registration_control FF disabled'
do
before
do
stub_feature_flags
(
runner_registration_control:
false
)
end
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
end
context
'with runner_registration_control FF enabled'
do
before
do
stub_feature_flags
(
runner_registration_control:
true
)
end
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
context
'with project runner registration disabled'
do
before
do
stub_application_setting
(
valid_runner_registrars:
[
'group'
])
end
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
end
end
context
'with maintainer'
do
let
(
:current_user
)
{
maintainer
}
it
{
is_expected
.
to
be_allowed
(
:register_project_runners
)
}
end
context
'with reporter'
do
let
(
:current_user
)
{
reporter
}
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
context
'with guest'
do
let
(
:current_user
)
{
guest
}
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
context
'with non member'
do
let
(
:current_user
)
{
create
(
:user
)
}
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
context
'with anonymous'
do
let
(
:current_user
)
{
nil
}
it
{
is_expected
.
to
be_disallowed
(
:register_project_runners
)
}
end
end
end
end
spec/views/projects/runners/_specific_runners.html.haml_spec.rb
View file @
3d8c4f48
...
@@ -11,12 +11,14 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
...
@@ -11,12 +11,14 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
@project
=
project
@project
=
project
@assignable_runners
=
[]
@assignable_runners
=
[]
@project_runners
=
[]
@project_runners
=
[]
allow
(
view
).
to
receive
(
:current_user
).
and_return
(
user
)
allow
(
view
).
to
receive
(
:reset_registration_token_namespace_project_settings_ci_cd_path
).
and_return
(
'banana_url'
)
allow
(
view
).
to
receive
(
:reset_registration_token_namespace_project_settings_ci_cd_path
).
and_return
(
'banana_url'
)
end
end
context
'when project runner registration is allowed'
do
context
'when project runner registration is allowed'
do
before
do
before
do
stub_application_setting
(
valid_runner_registrars:
[
'project'
])
stub_application_setting
(
valid_runner_registrars:
[
'project'
])
allow
(
view
).
to
receive
(
:can?
).
with
(
user
,
:register_project_runners
,
project
).
and_return
(
true
)
end
end
it
'enables the Remove project button for a project'
do
it
'enables the Remove project button for a project'
do
...
@@ -32,7 +34,7 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
...
@@ -32,7 +34,7 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
stub_application_setting
(
valid_runner_registrars:
[
'group'
])
stub_application_setting
(
valid_runner_registrars:
[
'group'
])
end
end
it
'does not enable the
the
Remove project button for a project'
do
it
'does not enable the Remove project button for a project'
do
render
'projects/runners/specific_runners'
,
project:
project
render
'projects/runners/specific_runners'
,
project:
project
expect
(
rendered
).
to
have_content
'Please contact an admin to register runners.'
expect
(
rendered
).
to
have_content
'Please contact an admin to register runners.'
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment