Fix fork users cannot create pipelines in a fork project when parent project protects a feature branch

Merged Shinya Maeda requested to merge fix-run-pipeline-in-target-project into master

What does this MR do?

This MR fixes the bug reported in #235119 (closed).

A few months ago, we shipped a feature to allow to create a fork pipeline in the parent project if the actor has permission to create a pipeline in parent project (i.e. Developer role or above in the parent project). As reported in #235119 (closed), there is an edge case that when a feature branch is protected in the target project, a pipeline creation in parent project context will fail due to InsufficientPermissionError. Protecting feature branches is relatively uncommon usecase, however, a few users relies on this ruleset and they expect the system to run pipelines in source project context in such case. This totally makes sense thus this MR adds the protected branch check in the can_create_pipeline_in_target_project? method, which is the proxy method to select a project context between source and target for the CreatePipelineService.


Does this MR meet the acceptance criteria?


Availability and Testing


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Kamil Trzciński | OoO 2022.07.23 till 2022.08.20