Add access check to Ci::EnqueueJobService & add tests that cover protected env access (!227714) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Context

Ci::EnqueueJobService is a central point for starting manual jobs for features like protected environments, but it doesn't have good test coverage as it was shown in gitlab-com/gl-infra/production#19377 (closed).

Moreover, it does not have defense in depth and relies on the caller to enforce authorization checks. We check the ability :play_job in Ci::PlayBuildService and Ci::PlayBridgeService. But it's not enforced in Ci::Pipeline#reset_source_bridge!.

This MR

This MR adds an access check inside Ci::EnqueueJobService so that it's applied no matter where the service is called. This prevents jobs from being enqueued in protected environments where the user does not have access.

Test coverage has been added for various environment/access scenarios. They follow the permission chart below (generated by Claude Code):

This change is made behind a feature flag: ci_enqueue_job_authorization. Roll-out issue: #593898

References

Resolves Add defense in-depth and improve tests for Enqu... (#524123 - closed)
Feature flag roll out issue: [FF] `ci_enqueue_job_authorization` -- Add auth... (#593898)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #524123 (closed)

Edited Mar 17, 2026 by Leaminn Ma

Add access check to Ci::EnqueueJobService & add tests that cover protected env access

What does this MR do and why?

Context

This MR

References

MR acceptance checklist

Merge request reports