"Cancel Pipeline" button is visible to users without permission
I don't know if that is a bug or intended, but I just noticed that the "Cancel running" Button appears for me in a random picked pipeline in this project.
I noticed that while looking at the progress of the pipeline from my MR. I picked another random Pipeline to see, if the button appears there too (it could have been, that I could cancel the pipeline as it was running on my MR).
I have not checked, if clicking on the button actually cancels the pipeline as I don't want to cancel any running pipelines here. If it would be blocked behind the scenes, it should still be hidden for users without permission.
Proposed fix
- There's a
before_action
validation that happens in the pipelines controller https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/controllers/projects/pipelines_controller.rb#L289, this contains the following validation codeunless can?(current_user, :update_pipeline, @pipeline)
we should send the result of that validation via the following HAML file https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/views/projects/pipelines/show.html.haml#L13 - The validation should be send to a prop to the vue header_component file
Edited by Jose Ivan Vargas