From b09465f38d66d7ff6074843177bcdb7d72caf07f Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Wed, 12 Apr 2017 11:26:18 +0200
Subject: [PATCH] Implement new rule for manual actions in policies

---
 app/policies/ci/build_policy.rb       | 14 +++++++
 spec/policies/ci/build_policy_spec.rb | 53 +++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 8b25332b73c..0522cbdb331 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -8,6 +8,20 @@ module Ci
       %w[read create update admin].each do |rule|
         cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
       end
+
+      can! :play_build if can_play_action?
+    end
+
+    private
+
+    alias_method :build, :subject
+
+    def can_play_action?
+      return false unless build.playable?
+
+      ::Gitlab::UserAccess
+        .new(user, project: build.project)
+        .can_push_to_branch?(build.ref)
     end
   end
 end
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index 0f280f32eac..e4693cdcef0 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -89,5 +89,58 @@ describe Ci::BuildPolicy, :models do
         end
       end
     end
+
+    describe 'rules for manual actions' do
+      let(:project) { create(:project) }
+
+      before do
+        project.add_developer(user)
+      end
+
+      context 'when branch build is assigned to is protected' do
+        before do
+          create(:protected_branch, :no_one_can_push,
+                 name: 'some-ref', project: project)
+        end
+
+        context 'when build is a manual action' do
+          let(:build) do
+            create(:ci_build, :manual, ref: 'some-ref', pipeline: pipeline)
+          end
+
+          it 'does not include ability to play build' do
+            expect(policies).not_to include :play_build
+          end
+        end
+
+        context 'when build is not a manual action' do
+          let(:build) do
+            create(:ci_build, ref: 'some-ref', pipeline: pipeline)
+          end
+
+          it 'does not include ability to play build' do
+            expect(policies).not_to include :play_build
+          end
+        end
+      end
+
+      context 'when branch build is assigned to is not protected' do
+        context 'when build is a manual action' do
+          let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
+
+          it 'includes ability to play build' do
+            expect(policies).to include :play_build
+          end
+        end
+
+        context 'when build is not a manual action' do
+          let(:build) { create(:ci_build,  pipeline: pipeline) }
+
+          it 'does not include ability to play build' do
+            expect(policies).not_to include :play_build
+          end
+        end
+      end
+    end
   end
 end
-- 
GitLab