Fix permissions on :read_pipeline_schedule ability
What does this MR do and why?
Currently, a public user is able to view the /pipeline_schedules
page in a public project that has "Public pipelines" disabled. Per documentation, CI/CD menu items (which includes "Pipeline schedules") should not be publicly visible when "Public pipelines" is disabled.
This MR fixes the :read_pipeline_schedule
ability to correct the visibility behaviour.
Resolves: #416643 (closed)
How to reproduce
- As the admin of a public Project, create any Scheduled pipeline at
/<group>/<project>/-/pipeline_schedules
. - In your Project CI/CD settings, uncheck the
Public pipelines
setting and clickSave changes
.
- As an unauthenticated user (I recommend opening a new browser window with a different session), go to
/<group>/<project>/-/pipeline_schedules
and observe that the page content is visible.
How to set up and validate locally
- Follow Steps 1-2 in the above section.
- As an unauthenticated user, go to
/<group>/<project>/-/pipeline_schedules
and observe that the page now returns a 404 error.
- Just for safe measure, check that your project admin user still has access to that page.
- Enable
Public pipelines
in your Project's CI/CD settings and confirm that/<group>/<project>/-/pipeline_schedules
is now visible for both the authenticated and unauthenticated user.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Leaminn Ma