Only allow confirmed users to run pipelines

This should make it harder for bots to make use of free CI minutes

Only allow confirmed users to run pipelines
This should make it harder for bots to make use of free CI minutes
9a4e2a4e · nicolasdular · 591f7c20 · 9a4e2a4e · 9a4e2a4e · 9a4e2a4e
Commit 9a4e2a4e authored Oct 30, 2019 by nicolasdular
3 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -117,6 +117,10 @@ class ProjectPolicy < BasePolicy
    !@subject.builds_enabled?
  end

+  condition(:user_confirmed?) do
+    @user && @user.confirmed?
+  end
+
  features = %w[
    merge_requests
    issues
@@ -249,10 +253,7 @@ class ProjectPolicy < BasePolicy
    enable :update_commit_status
    enable :create_build
    enable :update_build
-    enable :create_pipeline
-    enable :update_pipeline
    enable :read_pipeline_schedule
-    enable :create_pipeline_schedule
    enable :create_merge_request_from
    enable :create_wiki
    enable :push_code
@@ -267,6 +268,12 @@ class ProjectPolicy < BasePolicy
    enable :update_release
  end

+  rule { can?(:developer_access) & user_confirmed? }.policy do
+    enable :create_pipeline
+    enable :update_pipeline
+    enable :create_pipeline_schedule
+  end
+
  rule { can?(:maintainer_access) }.policy do
    enable :admin_board
    enable :push_to_delete_protected_branch
@@ -418,7 +425,7 @@ class ProjectPolicy < BasePolicy

  # These rules are included to allow maintainers of projects to push to certain
  # to run pipelines for the branches they have access to.
-  rule { can?(:public_access) & has_merge_requests_allowing_pushes }.policy do
+  rule { can?(:public_access) & has_merge_requests_allowing_pushes & user_confirmed? }.policy do
    enable :create_build
    enable :create_pipeline
  end

--- a/changelogs/unreleased/nicolasdular-confirm-email-before-ci-usage.yml
+++ b/changelogs/unreleased/nicolasdular-confirm-email-before-ci-usage.yml
+---
+title: Only allow confirmed users to run pipelines
+merge_request:
+author:
+type: fixed
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -315,6 +315,31 @@ describe ProjectPolicy do
    end
  end

+  context 'pipeline feature' do
+    let(:project) { create(:project) }
+
+    describe 'for unconfirmed user' do
+      let(:unconfirmed_user) { create(:user, confirmed_at: nil) }
+      subject { described_class.new(unconfirmed_user, project) }
+
+      it 'disallows to modify pipelines' do
+        expect_disallowed(:create_pipeline)
+        expect_disallowed(:update_pipeline)
+        expect_disallowed(:create_pipeline_schedule)
+      end
+    end
+
+    describe 'for confirmed user' do
+      subject { described_class.new(developer, project) }
+
+      it 'allows modify pipelines' do
+        expect_allowed(:create_pipeline)
+        expect_allowed(:update_pipeline)
+        expect_allowed(:create_pipeline_schedule)
+      end
+    end
+  end
+
  context 'builds feature' do
    context 'when builds are disabled' do
      subject { described_class.new(owner, project) }