Do not allow jobs to be erased

9b58b8e3 · Shinya Maeda · d4ceec9d · 9b58b8e3 · 9b58b8e3 · 9b58b8e3
Commit 9b58b8e3 authored 7 years ago by Shinya Maeda
--- a/app/controllers/projects/jobs_controller.rb
+++ b/app/controllers/projects/jobs_controller.rb
@@ -5,6 +5,7 @@ class Projects::JobsController < Projects::ApplicationController
    only: [:index, :show, :status, :raw, :trace]
  before_action :authorize_update_build!,
    except: [:index, :show, :status, :raw, :trace, :cancel_all]
+  before_action :authorize_erase_build!, only: [:erase]
  
  layout 'project'
  
@@ -131,6 +132,10 @@ class Projects::JobsController < Projects::ApplicationController
    return access_denied! unless can?(current_user, :update_build, build)
  end
  
+  def authorize_erase_build!
+    return access_denied! unless can?(current_user, :erase_build, build)
+  end
+
  def build
    @build ||= project.builds.find(params[:id])
      .present(current_user: current_user)

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -192,6 +192,10 @@ module Ci
      project.build_timeout
    end
  
+    def owned_by?(current_user)
+      user == current_user
+    end
+
    # A slugified version of the build ref, suitable for inclusion in URLs and
    # domain names. Rules:
    #

--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -10,6 +10,11 @@ module Ci
      end
    end
  
+    condition(:owner_of_build) do
+      can?(:developer_access) && @subject.owned_by?(@user)
+    end
+
    rule { protected_ref }.prevent :update_build
+    rule { can?(:master_access) | owner_of_build }.enable :erase_build
  end
 end
--- a/app/serializers/build_details_entity.rb
+++ b/app/serializers/build_details_entity.rb
@@ -6,7 +6,7 @@ class BuildDetailsEntity < JobEntity
  expose :pipeline, using: PipelineEntity
  
  expose :erased_by, if: -> (*) { build.erased? }, using: UserEntity
-  expose :erase_path, if: -> (*) { build.erasable? && can?(current_user, :update_build, project) } do |build|
+  expose :erase_path, if: -> (*) { build.erasable? && can?(current_user, :erase_build, build) } do |build|
    erase_project_job_path(project, build)
  end
  

--- a/app/views/projects/jobs/show.html.haml
+++ b/app/views/projects/jobs/show.html.haml
@@ -71,7 +71,7 @@
                    class: 'js-raw-link-controller has-tooltip controllers-buttons' do
              = icon('file-text-o')
  
-          - if can?(current_user, :update_build, @project) && @build.erasable?
+          - if @build.erasable? && can?(current_user, :erase_build, @build)
            = link_to erase_project_job_path(@project, @build),
                      method: :post,
                      data: { confirm: 'Are you sure you want to erase this build?', placement: 'top', container: 'body' },

--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
@@ -136,7 +136,7 @@ module API
        authorize_update_builds!
  
        build = find_build!(params[:job_id])
-        authorize!(:update_build, build)
+        authorize!(:erase_build, build)
        return forbidden!('Job is not erasable!') unless build.erasable?
  
        build.erase(erased_by: current_user)

--- a/lib/api/v3/builds.rb
+++ b/lib/api/v3/builds.rb
@@ -169,7 +169,7 @@ module API
          authorize_update_builds!
  
          build = get_build!(params[:build_id])
-          authorize!(:update_build, build)
+          authorize!(:erase_build, build)
          return forbidden!('Build is not erasable!') unless build.erasable?
  
          build.erase(erased_by: current_user)

--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -150,5 +150,47 @@ describe Ci::BuildPolicy do
        end
      end
    end
+
+    # TODO: Finish spec
+    describe 'rules for erase build' do
+      let(:project) { create(:project, :repository) }
+      let(:another_user) { create(:user) }
+
+      context 'when developer created a build' do
+        before do
+          project.add_developer(user)
+        end
+
+        context 'when the build was created by the user' do
+          let(:build) { create(:ci_build, user: user) }
+
+          it { expect(policy).to be_allowed :erase_build }
+        end
+
+        context 'when the build was created by others' do
+          let(:build) { create(:ci_build, user: another_user) }
+
+          it { expect(policy).to be_disallowed :erase_build }
+        end
+      end
+
+      context 'when master erases a build' do
+        before do
+          project.add_master(user)
+        end
+
+        context 'when the build was created by the user' do
+          let(:build) { create(:ci_build, user: user) }
+
+          it { expect(policy).to be_allowed :erase_build }
+        end
+
+        context 'when the build was created by others' do
+          let(:build) { create(:ci_build, user: another_user) }
+
+          it { expect(policy).to be_allowed :erase_build }
+        end
+      end
+    end
  end
 end