Commit 1e15444a authored by James Edwards-Jones's avatar James Edwards-Jones

Cleanup & tests for UserAccess#can_create_tag?

parent 90c8bb83
...@@ -8,7 +8,7 @@ module ProtectedRef ...@@ -8,7 +8,7 @@ module ProtectedRef
delegate :matching, :matches?, :wildcard?, to: :ref_matcher delegate :matching, :matches?, :wildcard?, to: :ref_matcher
def self.matching_refs_accesible_to(ref, user, action: :push) def self.protected_ref_accessible_to?(ref, user, action: :push)
access_levels_for_ref(ref, action: action).any? do |access_level| access_levels_for_ref(ref, action: action).any? do |access_level|
access_level.check_access(user) access_level.check_access(user)
end end
......
...@@ -79,7 +79,7 @@ module Gitlab ...@@ -79,7 +79,7 @@ module Gitlab
return "Protected tags cannot be deleted." return "Protected tags cannot be deleted."
end end
unless user_access.can_push_tag?(@tag_name) unless user_access.can_create_tag?(@tag_name)
return "You are not allowed to create this tag as it is protected." return "You are not allowed to create this tag as it is protected."
end end
end end
......
...@@ -28,14 +28,11 @@ module Gitlab ...@@ -28,14 +28,11 @@ module Gitlab
true true
end end
#TODO: Test this def can_create_tag?(ref)
#TODO move most to ProtectedTag::AccessChecker. Or maybe UserAccess::Protections::Tag
#TODO: then consider removing method, if it turns out can_access_git? and can?(:push_code are checked in change_access
def can_push_tag?(ref)
return false unless can_access_git? return false unless can_access_git?
if ProtectedTag.protected?(project, ref) if ProtectedTag.protected?(project, ref)
project.protected_tags.matching_refs_accesible_to(ref, user) project.protected_tags.protected_ref_accessible_to?(ref, user)
else else
user.can?(:push_code, project) user.can?(:push_code, project)
end end
...@@ -47,7 +44,7 @@ module Gitlab ...@@ -47,7 +44,7 @@ module Gitlab
if ProtectedBranch.protected?(project, ref) if ProtectedBranch.protected?(project, ref)
return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user) return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
has_access = project.protected_branches.matching_refs_accesible_to(ref, user, action: :push) has_access = project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref) has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
else else
...@@ -59,7 +56,7 @@ module Gitlab ...@@ -59,7 +56,7 @@ module Gitlab
return false unless can_access_git? return false unless can_access_git?
if ProtectedBranch.protected?(project, ref) if ProtectedBranch.protected?(project, ref)
project.protected_branches.matching_refs_accesible_to(ref, user, action: :merge) project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
else else
user.can?(:push_code, project) user.can?(:push_code, project)
end end
......
...@@ -142,4 +142,74 @@ describe Gitlab::UserAccess, lib: true do ...@@ -142,4 +142,74 @@ describe Gitlab::UserAccess, lib: true do
end end
end end
end end
describe 'can_create_tag?' do
describe 'push to none protected tag' do
it 'returns true if user is a master' do
project.add_user(user, :master)
expect(access.can_create_tag?('random_tag')).to be_truthy
end
it 'returns true if user is a developer' do
project.add_user(user, :developer)
expect(access.can_create_tag?('random_tag')).to be_truthy
end
it 'returns false if user is a reporter' do
project.add_user(user, :reporter)
expect(access.can_create_tag?('random_tag')).to be_falsey
end
end
describe 'push to protected tag' do
let(:tag) { create(:protected_tag, project: project, name: "test") }
let(:not_existing_tag) { create :protected_tag, project: project }
it 'returns true if user is a master' do
project.add_user(user, :master)
expect(access.can_create_tag?(tag.name)).to be_truthy
end
it 'returns false if user is a developer' do
project.add_user(user, :developer)
expect(access.can_create_tag?(tag.name)).to be_falsey
end
it 'returns false if user is a reporter' do
project.add_user(user, :reporter)
expect(access.can_create_tag?(tag.name)).to be_falsey
end
end
describe 'push to protected tag if allowed for developers' do
before do
@tag = create(:protected_tag, :developers_can_push, project: project)
end
it 'returns true if user is a master' do
project.add_user(user, :master)
expect(access.can_create_tag?(@tag.name)).to be_truthy
end
it 'returns true if user is a developer' do
project.add_user(user, :developer)
expect(access.can_create_tag?(@tag.name)).to be_truthy
end
it 'returns false if user is a reporter' do
project.add_user(user, :reporter)
expect(access.can_create_tag?(@tag.name)).to be_falsey
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment