From e00b2d4bd340d87406d66de94393c3cfdae15d6e Mon Sep 17 00:00:00 2001
From: qwerty287 <80460567+qwerty287@users.noreply.github.com>
Date: Wed, 20 Mar 2024 21:04:51 +0100
Subject: [PATCH] Only allow to deploy from push, tag and release (#3522)

---
 server/api/pipeline.go                          | 13 ++++++++++---
 web/src/views/repo/pipeline/PipelineWrapper.vue |  5 ++++-
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/server/api/pipeline.go b/server/api/pipeline.go
index c151e1f26..2a98f6a9c 100644
--- a/server/api/pipeline.go
+++ b/server/api/pipeline.go
@@ -409,12 +409,19 @@ func PostPipeline(c *gin.Context) {
 	// make Deploy overridable
 	pl.Deploy = c.DefaultQuery("deploy_to", pl.Deploy)
 
-	// make Event overridable
+	// make Event overridable to deploy
+	// TODO refactor to use own proper API for deploy
 	if event, ok := c.GetQuery("event"); ok {
+		// only allow deploy from push, tag and release
+		if pl.Event != model.EventPush && pl.Event != model.EventTag && pl.Event != model.EventRelease {
+			_ = c.AbortWithError(http.StatusBadRequest, fmt.Errorf("can only deploy push, tag and release pipelines"))
+			return
+		}
+
 		pl.Event = model.WebhookEvent(event)
 
-		if err := pl.Event.Validate(); err != nil {
-			_ = c.AbortWithError(http.StatusBadRequest, err)
+		if pl.Event != model.EventDeploy {
+			_ = c.AbortWithError(http.StatusBadRequest, model.ErrInvalidWebhookEvent)
 			return
 		}
 	}
diff --git a/web/src/views/repo/pipeline/PipelineWrapper.vue b/web/src/views/repo/pipeline/PipelineWrapper.vue
index 535b1d04f..b54ae2c2e 100644
--- a/web/src/views/repo/pipeline/PipelineWrapper.vue
+++ b/web/src/views/repo/pipeline/PipelineWrapper.vue
@@ -45,7 +45,10 @@
               @click="restartPipeline"
             />
             <Button
-              v-if="pipeline.status === 'success'"
+              v-if="
+                pipeline.status === 'success' &&
+                (pipeline.event === 'push' || pipeline.event === 'tag' || pipeline.event === 'release')
+              "
               class="flex-shrink-0"
               :text="$t('repo.pipeline.actions.deploy')"
               @click="showDeployPipelinePopup = true"