Check build permissions when restarting build/job via API (#1167)

pavel-d · web-flow · commit 13bbf473aa38 · 2020-11-18T15:30:54.000+02:00
diff --git a/lib/travis/api/enqueue/services/restart_model.rb b/lib/travis/api/enqueue/services/restart_model.rb
@@ -78,7 +78,15 @@ def target
         private
 
         def permission?
-          current_user && current_user.permission?(required_role, repository_id: target.repository_id) && !abusive?
+          current_user && current_user.permission?(required_role, repository_id: target.repository_id) && !abusive? && build_permission?
+        end
+
+        def build_permission?
+          # nil value is considered true
+          return false if repository.permissions.find_by(user_id: current_user.id).build == false
+          return false if repository.owner_type == 'Organization' && repository.owner.memberships.find_by(user_id: current_user.id)&.build_permission == false
+
+          true
         end
 
         def abusive?
diff --git a/spec/lib/travis/api/enqueue/services/restart_model_spec.rb b/spec/lib/travis/api/enqueue/services/restart_model_spec.rb
@@ -0,0 +1,92 @@
+describe Travis::Enqueue::Services::RestartModel do
+  let(:owner) { FactoryBot.create(:user) }
+  let(:repository) { FactoryBot.create(:repository, owner: owner) }
+  let(:job) { FactoryBot.create(:job, repository: repository, state: 'canceled') }
+  let(:user) { FactoryBot.create(:user) }
+
+  let(:service) { Travis::Enqueue::Services::RestartModel.new(user, { job_id: job.id }) }
+
+  before do
+    Travis.config.billing.url = 'http://localhost:9292/'
+    Travis.config.billing.auth_key = 'secret'
+
+    stub_request(:post, /http:\/\/localhost:9292\/(users|organizations)\/(.+)\/authorize_build/).to_return(
+      body: MultiJson.dump(allowed: true, rejection_code: nil)
+    )
+  end
+
+  after do
+    Travis.config.billing.url = nil
+    Travis.config.billing.auth_key = nil
+  end
+
+  describe 'push' do
+    let(:payload) { { id: job.id, user_id: user.id } }
+
+    subject { service.push('job:restart', payload) }
+
+    shared_examples 'restarts the job' do
+      it do
+        expect(subject.value).to eq({ id: job.id, user_id: user.id })
+        expect(subject.error).to eq(nil)
+      end
+    end
+
+    shared_examples 'does not restart the job' do
+      it do
+        expect(subject.value).to eq(nil)
+        expect(subject.error).to eq('restart failed')
+      end
+    end
+
+    context 'build permissions' do
+      context 'when owner is a user' do
+        context 'on repo level' do
+          context 'when value is nil' do
+            before { repository.permissions.create(user: user, build: nil) }
+
+            include_examples 'restarts the job'
+          end
+
+          context 'when value is true' do
+            before { repository.permissions.create(user: user, build: true) }
+
+            include_examples 'restarts the job'
+          end
+
+          context 'when value is false' do
+            before { repository.permissions.create(user: user, build: false) }
+
+            include_examples 'does not restart the job'
+          end
+        end
+      end
+
+      context 'when owner is an organization' do
+        let(:owner) { FactoryBot.create(:org) }
+
+        before { repository.permissions.create(user: user, build: true) }
+
+        context 'on organization level' do
+          context 'when value is nil' do
+            before { owner.memberships.create(user: user, build_permission: nil) }
+
+            include_examples 'restarts the job'
+          end
+
+          context 'when value is true' do
+            before { owner.memberships.create(user: user, build_permission: true) }
+
+            include_examples 'restarts the job'
+          end
+
+          context 'when value is false' do
+            before { owner.memberships.create(user: user, build_permission: false) }
+
+            include_examples 'does not restart the job'
+          end
+        end
+      end
+    end
+  end
+end
