Skip to content

G
gitlab-ce
Switch branch/tag
Find file Normal viewHistoryPermalink
change_access.rb 2.47 KB
Newer Older
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
1 2 3 
module Gitlab
  module Checks
    class ChangeAccess
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
4 
      attr_reader :user_access, :project, :skip_authorization
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
5
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
6 
      def initialize(
Lin Jen-Shin's avatar
Merge remote-tracking branch 'upstream/master' into feature/1376-allow-write-access-deploy-keys  
Lin Jen-Shin committed
7 
        change, user_access:, project:, env: {}, skip_authorization: false)
Scott Le's avatar
api for generating new merge request  
Scott Le committed
8 9 
        @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
        @branch_name = Gitlab::Git.branch_name(@ref)
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
10 11 
        @user_access = user_access
        @project = project
Timothy Andrew's avatar
Accept environment variables from the `pre-receive` script.  
Timothy Andrew committed
12 
        @env = env
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
13 
        @skip_authorization = skip_authorization
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
14 15 16 
      end

      def exec
Alejandro Rodríguez's avatar
Change the order of the access rules to check simpler first, and add specs  
Alejandro Rodríguez committed
17 
        error = push_checks || tag_checks || protected_branch_checks
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
18 19 20 21 22 23 24 25 26 27 28 

        if error
          GitAccessStatus.new(false, error)
        else
          GitAccessStatus.new(true)
        end
      end

      protected

      def protected_branch_checks
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
29 
        return if skip_authorization
Paco Guzman's avatar
Avoid protected branches checks when verifying access without branch name  
Paco Guzman committed
30 
        return unless @branch_name
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
31 32 
        return unless project.protected_branch?(@branch_name)
Rémy Coutable's avatar
Remove useless permission checks in Gitlab::Checks::ChangeAccess  
Rémy Coutable committed
33 
        if forced_push?
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
34 
          return "You are not allowed to force push code to a protected branch on this project."
Rémy Coutable's avatar
Remove useless permission checks in Gitlab::Checks::ChangeAccess  
Rémy Coutable committed
35 
        elsif Gitlab::Git.blank_ref?(@newrev)
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 
          return "You are not allowed to delete protected branches from this project."
        end

        if matching_merge_request?
          if user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
            return
          else
            "You are not allowed to merge code into protected branches on this project."
          end
        else
          if user_access.can_push_to_branch?(@branch_name)
            return
          else
            "You are not allowed to push code to protected branches on this project."
          end
        end
      end

      def tag_checks
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
55 56 
        return if skip_authorization
Scott Le's avatar
api for generating new merge request  
Scott Le committed
57 
        tag_ref = Gitlab::Git.tag_name(@ref)
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
58 59 60 61 62 63 64 

        if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project)
          "You are not allowed to change existing tags on this project."
        end
      end

      def push_checks
Lin Jen-Shin's avatar
We never check user privilege if it's a deploy key  
Lin Jen-Shin committed
65 66 
        return if skip_authorization
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
67 68 69 70 71 72 73 74 75 76 77 78 
        if user_access.cannot_do_action?(:push_code)
          "You are not allowed to push code to this project."
        end
      end

      private

      def protected_tag?(tag_name)
        project.repository.tag_exists?(tag_name)
      end

      def forced_push?
Timothy Andrew's avatar
Accept environment variables from the `pre-receive` script.  
Timothy Andrew committed
79 
        Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env)
Rémy Coutable's avatar
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master'  
Rémy Coutable committed
80 81 82 83 84 85 86 87 
      end

      def matching_merge_request?
        Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
      end
    end
  end
end
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7