diff --git a/plugins/pipelines/update.js b/plugins/pipelines/update.js
index 17c52fa78..d1fd21b2e 100644
--- a/plugins/pipelines/update.js
+++ b/plugins/pipelines/update.js
@@ -19,7 +19,8 @@ const ANNOTATION_USE_DEPLOY_KEY = 'screwdriver.cd/useDeployKey';
*/
function getPermissionsForOldPipeline({ scmContexts, pipeline, user }) {
// this pipeline's scmContext has been removed, allow current admin to change it
- if (!scmContexts.includes(pipeline.scmContext)) {
+ // also allow pipeline admins from other scmContexts to change it
+ if (!scmContexts.includes(pipeline.scmContext) || user.scmContext !== pipeline.scmContext) {
const permission = { admin: false };
if (pipeline.admins[user.username]) {
diff --git a/test/plugins/pipelines.test.js b/test/plugins/pipelines.test.js
index ca79e3f4a..99efd2de5 100644
--- a/test/plugins/pipelines.test.js
+++ b/test/plugins/pipelines.test.js
@@ -2942,6 +2942,32 @@ describe('pipeline plugin test', () => {
});
});
+ it('returns 200 when the user is admin from different scmContext', () => {
+ userMock.scmContext = 'gitlab:mygitlab';
+ pipelineMock.admins = { [username]: true };
+
+ return server.inject(options).then(reply => {
+ // Only call once to get permissions on the new repo
+ assert.calledOnce(userMock.getPermissions);
+ assert.calledWith(userMock.getPermissions, scmUri);
+ assert.calledOnce(updatedPipelineMock.addWebhooks);
+ assert.equal(reply.statusCode, 200);
+ });
+ });
+
+ it('returns 403 when the user is not admin from different scmContext', () => {
+ userMock.scmContext = 'gitlab:mygitlab';
+ pipelineMock.admins = { ohno: true };
+
+ return server.inject(options).then(reply => {
+ // Only call once to get permissions on the new repo
+ assert.calledOnce(userMock.getPermissions);
+ assert.calledWith(userMock.getPermissions, scmUri);
+ assert.notCalled(updatedPipelineMock.addWebhooks);
+ assert.equal(reply.statusCode, 403);
+ });
+ });
+
it('returns 401 when the pipeline token does not have permission', () => {
options.auth.credentials = {
username,