Commit be09ae21 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch 'bug/35083-check-permission-for-downstream-pipeline' into 'master'

Add protected branch permission check to run downstream pipelines

See merge request gitlab-org/gitlab!20964
parents 43a0b38e baf43a0a
---
title: Add protected branch permission check to run downstream pipelines
merge_request: 20964
author:
type: fixed
...@@ -31,7 +31,12 @@ module Ci ...@@ -31,7 +31,12 @@ module Ci
def can_create_cross_pipeline? def can_create_cross_pipeline?
can?(current_user, :update_pipeline, project) && can?(current_user, :update_pipeline, project) &&
can?(target_user, :create_pipeline, target_project) can?(target_user, :create_pipeline, target_project) &&
can_update_branch?
end
def can_update_branch?
::Gitlab::UserAccess.new(target_user, project: target_project).can_update_branch?(target_ref)
end end
def create_pipeline! def create_pipeline!
......
...@@ -223,5 +223,19 @@ describe Ci::CreateCrossProjectPipelineService, '#execute' do ...@@ -223,5 +223,19 @@ describe Ci::CreateCrossProjectPipelineService, '#execute' do
end end
end end
end end
context 'when user does not have access to push protected branch of downstream project' do
before do
create(:protected_branch, :maintainers_can_push,
project: downstream_project, name: 'feature')
end
it 'changes status of the bridge build' do
service.execute(bridge)
expect(bridge.reload).to be_failed
expect(bridge.failure_reason).to eq 'insufficient_bridge_permissions'
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment