feat(actions): allow admins to manage all runners

System administrators can now view, edit, and delete any runner regardless of context (repo/org/user). Previously, admins were restricted by the same ownership rules as regular users. Also removes redundant deleted_unix filter in GetUnhealthyRunners query.
2026-01-26 20:43:59 -05:00
parent a99a5ce168
commit 32bb4d6faa
3 changed files with 18 additions and 12 deletions
--- a/models/actions/runner_health.go
+++ b/models/actions/runner_health.go
@@ -280,7 +280,7 @@ func CompleteCleanupRequest(ctx context.Context, id int64, success bool, bytesFr
 // GetUnhealthyRunners returns all runners that are unhealthy
 func GetUnhealthyRunners(ctx context.Context) ([]*ActionRunner, error) {
 	var runners []*ActionRunner
-	err := db.GetEngine(ctx).Where("deleted_unix = 0").Find(&runners)
+	err := db.GetEngine(ctx).Find(&runners)
 	if err != nil {
 		return nil, err
 	}
--- a/routers/web/shared/actions/runners.go
+++ b/routers/web/shared/actions/runners.go
@@ -200,7 +200,7 @@ func RunnersEdit(ctx *context.Context) {
 		ctx.ServerError("LoadAttributes", err)
 		return
 	}
-	if !runner.EditableInContext(ownerID, repoID) {
+	if !runner.EditableInContext(ownerID, repoID) && !ctx.Doer.IsAdmin {
 		err = errors.New("no permission to edit this runner")
 		ctx.NotFound(err)
 		return
@@ -261,7 +261,7 @@ func RunnersEditPost(ctx *context.Context) {
 		ctx.ServerError("RunnerDetailsEditPost.GetRunnerByID", err)
 		return
 	}
-	if !runner.EditableInContext(ownerID, repoID) {
+	if !runner.EditableInContext(ownerID, repoID) && !ctx.Doer.IsAdmin {
 		ctx.NotFound(util.NewPermissionDeniedErrorf("no permission to edit this runner"))
 		return
 	}
@@ -319,7 +319,7 @@ func runnerRequestTimestamp(ctx *context.Context, opName string, setField func(*
 		ctx.ServerError(opName+".GetRunnerByID", err)
 		return
 	}
-	if !runner.EditableInContext(rCtx.OwnerID, rCtx.RepoID) {
+	if !runner.EditableInContext(rCtx.OwnerID, rCtx.RepoID) && !ctx.Doer.IsAdmin {
 		ctx.NotFound(util.NewPermissionDeniedErrorf("no permission to edit this runner"))
 		return
 	}
@@ -360,7 +360,7 @@ func RunnerDeletePost(ctx *context.Context) {
 		return
 	}

-	if !runner.EditableInContext(rCtx.OwnerID, rCtx.RepoID) {
+	if !runner.EditableInContext(rCtx.OwnerID, rCtx.RepoID) && !ctx.Doer.IsAdmin {
 		ctx.NotFound(util.NewPermissionDeniedErrorf("no permission to delete this runner"))
 		return
 	}
@@ -392,16 +392,22 @@ func findActionsRunner(ctx *context.Context, rCtx *runnersCtx) *actions_model.Ac
 	opts := &actions_model.FindRunnerOptions{
 		IDs: []int64{runnerID},
 	}
+	// System admins can access any runner regardless of context
+	isAdmin := ctx.Doer != nil && ctx.Doer.IsAdmin
 	switch {
 	case rCtx.IsRepo:
-		opts.RepoID = rCtx.RepoID
-		if opts.RepoID == 0 {
-			panic("repoID is 0")
+		if !isAdmin {
+			opts.RepoID = rCtx.RepoID
+			if opts.RepoID == 0 {
+				panic("repoID is 0")
+			}
 		}
 	case rCtx.IsOrg, rCtx.IsUser:
-		opts.OwnerID = rCtx.OwnerID
-		if opts.OwnerID == 0 {
-			panic("ownerID is 0")
+		if !isAdmin {
+			opts.OwnerID = rCtx.OwnerID
+			if opts.OwnerID == 0 {
+				panic("ownerID is 0")
+			}
 		}
 	case rCtx.IsAdmin:
 		// do nothing
--- a/templates/shared/actions/runner_list.tmpl
+++ b/templates/shared/actions/runner_list.tmpl
@@ -86,7 +86,7 @@
 							<span class="tw-text-muted">-</span>
 						</td>
 						<td>
-							{{if .EditableInContext $.RunnerOwnerID $.RunnerRepoID}}
+							{{if or (.EditableInContext $.RunnerOwnerID $.RunnerRepoID) $.SignedUser.IsAdmin}}
 								<a href="{{$.Link}}/{{.ID}}">{{svg "octicon-pencil"}}</a>
 							{{end}}
 						</td>