Move `authorize_read_build_trace!` out of `Projects::ApplicationController`
Problem
We currently have authorize_read_build_trace! in the Projects::ApplicationController that provides a more specific error message if debug_mode is enabled. This code isn't scoped to the domain.
This code should be moved out of the Projects::ApplicationController to somewhere more specific to the CI domain. Currently it is there because it needs to be shared with the artifacts and jobs controllers but ends up callable from all project related controllers when it's only relevant in those two.
It should be scoped to CI via an concern.
Implementation Plan
Delete authorize_read_build_trace! from Projects::ApplicationController
Add a new file at app/controllers/concerns/ci/auth_build_trace.rb
with roughly the following content
module Ci
module AuthBuildTrace
extend ActiveSupport::Concern
def authorize_read_build_trace!
return if can?(current_user, :read_build_trace, build)
if build.debug_mode?
access_denied!(
_('You must have developer or higher permissions in the associated project to view job logs when debug trace ' \
"is enabled. To disable debug trace, set the 'CI_DEBUG_TRACE' and 'CI_DEBUG_SERVICES' variables to 'false' " \
'in your pipeline configuration or CI/CD settings. If you must view this job log, a project maintainer ' \
'or owner must add you to the project with developer permissions or higher.')
)
else
access_denied!(_('The current user is not authorized to access the job log.'))
end
end
end
endAdd the includes to the Projects::JobsController and the Projects::ArtifactsController. Code samples:
class Projects::JobsController < Projects::ApplicationController
include Ci::AuthBuildTraceclass Projects::ArtifactsController < Projects::ApplicationController
include Ci::AuthBuildTrace