Merge pull request #1822 from coreos-inc/run-build-admin

Allow repository admins to invoke build triggers manually

endpoints/api/build.py

@@ -19,7 +19,6 @@ from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from endpoints.building import start_build, PreparedBuild
 from data import database
 from data import model
-from auth.auth_context import get_authenticated_user
 from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
                               AdministerRepositoryPermission, AdministerOrganizationPermission,
                               SuperUserPermission)
@@ -58,14 +57,7 @@ def trigger_view(trigger, can_read=False, can_admin=False, for_build=False):
     build_source = build_trigger.config.get('build_source')
 
     repo_url = build_trigger.get_repository_url() if build_source else None
-
+    can_read = can_read or can_admin
-    if can_admin:
-      can_read = True
-
-    is_connected_user = False
-    if (can_admin and get_authenticated_user() and
-        trigger.connected_user_id == get_authenticated_user().id):
-       is_connected_user = True
 
     trigger_data = {
       'id': trigger.uuid,
@@ -76,7 +68,7 @@ def trigger_view(trigger, can_read=False, can_admin=False, for_build=False):
       'repository_url': repo_url if can_read else None,
 
       'config': build_trigger.config if can_admin else {},
-      'is_connected_user': is_connected_user,
+      'can_invoke': can_admin,
     }
 
     if not for_build and can_admin and trigger.pull_robot:

endpoints/api/trigger.py

@@ -21,7 +21,7 @@ from endpoints.api.build import build_status_view, trigger_view, RepositoryBuild
 from endpoints.building import start_build
 from data import model
 from auth.permissions import (UserAdminPermission, AdministerOrganizationPermission,
-                              ReadRepositoryPermission)
+                              ReadRepositoryPermission, AdministerRepositoryPermission)
 from util.names import parse_robot_username
 from util.dockerfileparse import parse_dockerfile
 
@@ -194,7 +194,7 @@ class BuildTriggerActivate(RepositoryParamResource):
           raise NotFound()
 
         # Make sure the user has administer permissions for the robot's namespace.
-        (robot_namespace, shortname) = parse_robot_username(pull_robot_name)
+        (robot_namespace, _) = parse_robot_username(pull_robot_name)
         if not AdministerOrganizationPermission(robot_namespace).can():
           raise Unauthorized()
 
@@ -480,8 +480,7 @@ class BuildTriggerFieldValues(RepositoryParamResource):
       raise NotFound()
 
     config = request.get_json() or None
-    user_permission = UserAdminPermission(trigger.connected_user.username)
+    if AdministerRepositoryPermission(namespace_name, repo_name).can():
-    if user_permission.can():
       handler = BuildTriggerHandler.get_handler(trigger, config)
       values = handler.list_field_values(field_name, limit=FIELD_VALUE_LIMIT)
 

static/directives/dockerfile-build-dialog.html

@@ -40,8 +40,8 @@
               <tr ng-repeat="trigger in triggers">
                 <td><span class="trigger-description" trigger="trigger"></span></td>
                 <td>
-                  <button class="btn btn-primary" ng-click="runTriggerNow(trigger)" ng-if="trigger.is_connected_user">Run Trigger</button>
+                  <button class="btn btn-primary" ng-click="runTriggerNow(trigger)" ng-if="trigger.can_invoke">Run Trigger</button>
-                  <span class="empty" ng-if="!trigger.is_connected_user">You cannot start triggers created by another user</span>
+                  <span class="empty" ng-if="!trigger.can_invoke">You do not have permission to run this trigger</span>
                 </td>
               </tr>
             </table>

static/directives/repo-view/repo-panel-builds.html

@@ -147,7 +147,7 @@
                   <i class="fa fa-unlock-alt"></i> View Credentials
                 </span>
                 <span class="cor-option" option-click="askRunTrigger(trigger)"
-                      ng-class="trigger.is_connected_user ? '' : 'disabled'">
+                      ng-class="trigger.can_invoke ? '' : 'disabled'">
                   <i class="fa fa-chevron-right"></i> Run Trigger Now
                 </span>
                 <span class="cor-option" option-click="askDeleteTrigger(trigger)">

static/js/directives/repo-view/repo-panel-builds.js

@@ -199,9 +199,8 @@ angular.module('quay').directive('repoPanelBuilds', function () {
       };
 
       $scope.askRunTrigger = function(trigger) {
-        if (!trigger.is_connected_user) {
+        if (!trigger.can_invoke) {
-          bootbox.alert('For security reasons, only the user that created this trigger can ' +
+          bootbox.alert('You do not have permission to manually invoke this trigger');
-                        'manually invoke this trigger');
           return;
         }