NixOS/hydra
NixOS/hydra
1
0
Fork 0
mirror of https://github.com/NixOS/hydra.git synced 2024-10-18 17:02:28 -04:00
Code Activity

Add a restart-jobs role

Browse source 
Frequently users want Hydra access just to restart jobs. However,
prior to this commit the only way to grant that access was by giving
them full Admin access which isn't necessarily what we want to do.

By having a restart-jobs role, we can grant this privilege to users
who are known to the community and want to help, but aren't long-time
members.

I haven't tested this commit, but it looks good to me...
This commit is contained in:
Graham Christensen 2017-12-30 08:28:23 -05:00
parent 8913c682cf
commit 83a48d2d4f
No known key found for this signature in database
GPG key ID: ACA1C1D120C83D5C
3 changed files with 23 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/lib/Hydra/Controller/JobsetEval.pm
View file

@ -188,7 +188,7 @@ sub cancel : Chained('evalChain') PathPart('cancel') Args(0) {
sub restart { sub restart {
my ($self, $c, $condition) = @_; my ($self, $c, $condition) = @_;
requireProjectOwner($c, $c->stash->{eval}->project); requireRestartPrivileges($c, $c->stash->{eval}->project);
my $builds = $c->stash->{eval}->builds->search({ finished => 1, buildstatus => $condition }); my $builds = $c->stash->{eval}->builds->search({ finished => 1, buildstatus => $condition });
my $n = restartBuilds($c->model('DB')->schema, $builds); my $n = restartBuilds($c->model('DB')->schema, $builds);
$c->flash->{successMsg} = "$n builds have been restarted."; $c->flash->{successMsg} = "$n builds have been restarted.";

24
src/lib/Hydra/Helper/CatalystUtils.pm
View file

@ -12,7 +12,7 @@ our @EXPORT = qw(
getBuild getPreviousBuild getNextBuild getPreviousSuccessfulBuild getBuild getPreviousBuild getNextBuild getPreviousSuccessfulBuild
searchBuildsAndEvalsForJobset searchBuildsAndEvalsForJobset
error notFound gone accessDenied error notFound gone accessDenied
forceLogin requireUser requireProjectOwner requireAdmin requirePost isAdmin isProjectOwner forceLogin requireUser requireProjectOwner requireRestartPrivileges requireAdmin requirePost isAdmin isProjectOwner
trim trim
getLatestFinishedEval getFirstEval getLatestFinishedEval getFirstEval
paramToList paramToList
@ -172,7 +172,6 @@ sub requireUser {
forceLogin($c) if !$c->user_exists; forceLogin($c) if !$c->user_exists;
} }
sub isProjectOwner { sub isProjectOwner {
my ($c, $project) = @_; my ($c, $project) = @_;
return return
@ -182,6 +181,26 @@ sub isProjectOwner {
defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username })); defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
} }
sub hasRestartJobsRole {
my ($c) = @_;
return $c->user_exists && $c->check_user_roles('restart-jobs');
}
sub mayRestartJobs {
my ($c, $project) = @_;
return
$c->user_exists &&
(isAdmin($c) ||
hasRestartJobsRole($c) ||
isProjectOwner($c, $project));
}
sub requireRestartPrivileges {
my ($c, $project) = @_;
requireUser($c);
accessDenied($c, "Only the project members, administrators, and accounts with restart-jobs privileges can perform this operation.")
unless mayRestartJobs($c, $project);
}
sub requireProjectOwner { sub requireProjectOwner {
my ($c, $project) = @_; my ($c, $project) = @_;
@ -196,7 +215,6 @@ sub isAdmin {
return $c->user_exists && $c->check_user_roles('admin'); return $c->user_exists && $c->check_user_roles('admin');
} }
sub requireAdmin { sub requireAdmin {
my ($c) = @_; my ($c) = @_;
requireUser($c); requireUser($c);

1
src/root/user.tt
View file

@ -80,6 +80,7 @@
<select multiple="multiple" name="roles" class="span3" [% IF !c.check_user_roles('admin') %]disabled="disabled"[% END %]> <select multiple="multiple" name="roles" class="span3" [% IF !c.check_user_roles('admin') %]disabled="disabled"[% END %]>
[% INCLUDE roleoption role="admin" %] [% INCLUDE roleoption role="admin" %]
[% INCLUDE roleoption role="create-projects" %] [% INCLUDE roleoption role="create-projects" %]
[% INCLUDE roleoption role="restart-jobs" %]
</select> </select>
</div> </div>
</div> </div>