Skip to content

Fix permissions on :read_pipeline_schedule ability

Leaminn Ma requested to merge fix-pipeline-schedules-policy into master

What does this MR do and why?

Currently, a public user is able to view the /pipeline_schedules page in a public project that has "Public pipelines" disabled. Per documentation, CI/CD menu items (which includes "Pipeline schedules") should not be publicly visible when "Public pipelines" is disabled.

This MR fixes the :read_pipeline_schedule ability to correct the visibility behaviour.

Resolves: #416643 (closed)

How to reproduce

  1. As the admin of a public Project, create any Scheduled pipeline at /<group>/<project>/-/pipeline_schedules.
  2. In your Project CI/CD settings, uncheck the Public pipelines setting and click Save changes.

Screenshot_2023-09-28_at_3.13.02_PM

  1. As an unauthenticated user (I recommend opening a new browser window with a different session), go to /<group>/<project>/-/pipeline_schedules and observe that the page content is visible.

Screenshot_2023-09-28_at_3.15.05_PM

How to set up and validate locally

  1. Follow Steps 1-2 in the above section.
  2. As an unauthenticated user, go to /<group>/<project>/-/pipeline_schedules and observe that the page now returns a 404 error.

Screenshot_2023-09-28_at_3.21.18_PM

  1. Just for safe measure, check that your project admin user still has access to that page.
  2. Enable Public pipelines in your Project's CI/CD settings and confirm that /<group>/<project>/-/pipeline_schedules is now visible for both the authenticated and unauthenticated user.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Leaminn Ma

Merge request reports