From ce1e10c116aab5e4f77a28912e033ac3d554df06 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Tue, 5 Nov 2019 19:24:51 +0100
Subject: [PATCH] Add bump-to-front role

---
 src/lib/Hydra/Controller/Build.pm      |  2 +-
 src/lib/Hydra/Controller/JobsetEval.pm |  2 +-
 src/lib/Hydra/Helper/CatalystUtils.pm  | 22 ++++++++++++++++++++++
 src/root/user.tt                       |  1 +
 4 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/lib/Hydra/Controller/Build.pm b/src/lib/Hydra/Controller/Build.pm
index 3d490e06..b62b4994 100644
--- a/src/lib/Hydra/Controller/Build.pm
+++ b/src/lib/Hydra/Controller/Build.pm
@@ -540,7 +540,7 @@ sub bump : Chained('buildChain') PathPart('bump') {
 
     my $build = $c->stash->{build};
 
-    requireProjectOwner($c, $build->project); # FIXME: require admin?
+    requireBumpPrivileges($c, $build->project);
 
     $c->model('DB')->schema->txn_do(sub {
         $build->update({globalpriority => time()});
diff --git a/src/lib/Hydra/Controller/JobsetEval.pm b/src/lib/Hydra/Controller/JobsetEval.pm
index 77a4385f..31d5d4c4 100644
--- a/src/lib/Hydra/Controller/JobsetEval.pm
+++ b/src/lib/Hydra/Controller/JobsetEval.pm
@@ -210,7 +210,7 @@ sub restart_failed : Chained('evalChain') PathPart('restart-failed') Args(0) {
 
 sub bump : Chained('evalChain') PathPart('bump') Args(0) {
     my ($self, $c) = @_;
-    requireProjectOwner($c, $c->stash->{eval}->project); # FIXME: require admin?
+    requireBumpPrivileges($c, $c->stash->{eval}->project); # FIXME: require admin?
     my $builds = $c->stash->{eval}->builds->search({ finished => 0 });
     my $n = $builds->count();
     $c->model('DB')->schema->txn_do(sub {
diff --git a/src/lib/Hydra/Helper/CatalystUtils.pm b/src/lib/Hydra/Helper/CatalystUtils.pm
index b9019638..fa88aacb 100644
--- a/src/lib/Hydra/Helper/CatalystUtils.pm
+++ b/src/lib/Hydra/Helper/CatalystUtils.pm
@@ -13,6 +13,7 @@ our @EXPORT = qw(
     searchBuildsAndEvalsForJobset
     error notFound gone accessDenied
     forceLogin requireUser requireProjectOwner requireRestartPrivileges requireAdmin requirePost isAdmin isProjectOwner
+    requireBumpPrivileges
     trim
     getLatestFinishedEval getFirstEval
     paramToList
@@ -181,6 +182,27 @@ sub isProjectOwner {
          defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
 }
 
+sub hasBumpJobsRole {
+    my ($c) = @_;
+    return $c->user_exists && $c->check_user_roles('bump-to-front');
+}
+
+sub mayBumpJobs {
+    my ($c, $project) = @_;
+    return
+        $c->user_exists &&
+        (isAdmin($c) ||
+         hasBumpJobsRole($c) ||
+         isProjectOwner($c, $project));
+}
+
+sub requireBumpPrivileges {
+    my ($c, $project) = @_;
+    requireUser($c);
+    accessDenied($c, "Only the project members, administrators, and accounts with bump-to-front privileges can perform this operation.")
+        unless mayBumpJobs($c, $project);
+}
+
 sub hasRestartJobsRole {
     my ($c) = @_;
     return $c->user_exists && $c->check_user_roles('restart-jobs');
diff --git a/src/root/user.tt b/src/root/user.tt
index e95ee689..86f35916 100644
--- a/src/root/user.tt
+++ b/src/root/user.tt
@@ -81,6 +81,7 @@
             [% INCLUDE roleoption role="admin" %]
             [% INCLUDE roleoption role="create-projects" %]
             [% INCLUDE roleoption role="restart-jobs" %]
+            [% INCLUDE roleoption role="bump-to-front" %]
           </select>
         </div>
       </div>