Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
f16377e7
Commit
f16377e7
authored
Apr 05, 2017
by
James Edwards-Jones
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Protected Tags backend review changes
Added changelog
parent
18506d4b
Changes
25
Hide whitespace changes
Inline
Side-by-side
Showing
25 changed files
with
125 additions
and
74 deletions
+125
-74
app/controllers/projects/protected_branches_controller.rb
app/controllers/projects/protected_branches_controller.rb
+3
-15
app/controllers/projects/protected_refs_controller.rb
app/controllers/projects/protected_refs_controller.rb
+10
-11
app/controllers/projects/protected_tags_controller.rb
app/controllers/projects/protected_tags_controller.rb
+3
-15
app/helpers/branches_helper.rb
app/helpers/branches_helper.rb
+4
-0
app/models/concerns/protected_branch_access.rb
app/models/concerns/protected_branch_access.rb
+1
-0
app/models/concerns/protected_ref.rb
app/models/concerns/protected_ref.rb
+1
-0
app/models/concerns/protected_tag_access.rb
app/models/concerns/protected_tag_access.rb
+1
-0
app/models/project.rb
app/models/project.rb
+1
-1
app/models/protectable_dropdown.rb
app/models/protectable_dropdown.rb
+9
-2
app/services/protected_branches/update_service.rb
app/services/protected_branches/update_service.rb
+2
-5
app/services/protected_tags/update_service.rb
app/services/protected_tags/update_service.rb
+2
-5
app/views/projects/branches/_branch.html.haml
app/views/projects/branches/_branch.html.haml
+1
-1
app/views/projects/protected_branches/show.html.haml
app/views/projects/protected_branches/show.html.haml
+4
-4
app/views/projects/protected_tags/show.html.haml
app/views/projects/protected_tags/show.html.haml
+4
-4
changelogs/unreleased/18471-restrict-tag-pushes-protected-tags.yml
...s/unreleased/18471-restrict-tag-pushes-protected-tags.yml
+4
-0
db/migrate/20170309173138_create_protected_tags.rb
db/migrate/20170309173138_create_protected_tags.rb
+0
-1
lib/gitlab/checks/change_access.rb
lib/gitlab/checks/change_access.rb
+2
-8
spec/controllers/projects/protected_branches_controller_spec.rb
...ontrollers/projects/protected_branches_controller_spec.rb
+1
-0
spec/controllers/projects/protected_tags_controller_spec.rb
spec/controllers/projects/protected_tags_controller_spec.rb
+1
-0
spec/features/protected_branches/access_control_ce_spec.rb
spec/features/protected_branches/access_control_ce_spec.rb
+12
-0
spec/features/protected_tags/access_control_ce_spec.rb
spec/features/protected_tags/access_control_ce_spec.rb
+6
-0
spec/models/protectable_dropdown_spec.rb
spec/models/protectable_dropdown_spec.rb
+1
-0
spec/models/protected_tag_spec.rb
spec/models/protected_tag_spec.rb
+0
-2
spec/services/protected_branches/update_service_spec.rb
spec/services/protected_branches/update_service_spec.rb
+26
-0
spec/services/protected_tags/update_service_spec.rb
spec/services/protected_tags/update_service_spec.rb
+26
-0
No files found.
app/controllers/projects/protected_branches_controller.rb
View file @
f16377e7
class
Projects::ProtectedBranchesController
<
Projects
::
ProtectedRefsController
protected
def
protected_ref
@protected_branch
end
def
protected_ref
=
(
val
)
@protected_branch
=
val
end
def
matching_refs
=
(
val
)
@matching_branches
=
val
end
def
project_refs
@project
.
repository
.
branches
end
def
create_service
def
create_service
_class
::
ProtectedBranches
::
CreateService
end
def
update_service
def
update_service
_class
::
ProtectedBranches
::
UpdateService
end
def
load_protected_ref
self
.
protected_ref
=
@project
.
protected_branches
.
find
(
params
[
:id
])
@
protected_ref
=
@project
.
protected_branches
.
find
(
params
[
:id
])
end
def
protected_ref_params
...
...
app/controllers/projects/protected_refs_controller.rb
View file @
f16377e7
class
Projects::ProtectedRefsController
<
Projects
::
ApplicationController
include
RepositorySettingsRedirect
# Authorize
before_action
:require_non_empty_project
before_action
:authorize_admin_project!
...
...
@@ -12,33 +13,31 @@ class Projects::ProtectedRefsController < Projects::ApplicationController
end
def
create
self
.
protected_ref
=
create_service
.
new
(
@project
,
current_user
,
protected_ref_params
).
execute
protected_ref
=
create_service_class
.
new
(
@project
,
current_user
,
protected_ref_params
).
execute
unless
protected_ref
.
persisted?
flash
[
:alert
]
=
protected_ref
.
errors
.
full_messages
.
join
(
', '
).
html_safe
end
redirect_to_repository_settings
(
@project
)
end
def
show
self
.
matching_refs
=
protected_ref
.
matching
(
project_refs
)
@matching_refs
=
@
protected_ref
.
matching
(
project_refs
)
end
def
update
self
.
protected_ref
=
update_service
.
new
(
@project
,
current_user
,
protected_ref_params
).
execute
(
protected_ref
)
@protected_ref
=
update_service_class
.
new
(
@project
,
current_user
,
protected_ref_params
).
execute
(
@
protected_ref
)
if
protected_ref
.
valid?
respond_to
do
|
format
|
format
.
json
{
render
json:
protected_ref
,
status: :ok
}
end
if
@protected_ref
.
valid?
render
json:
@protected_ref
,
status: :ok
else
respond_to
do
|
format
|
format
.
json
{
render
json:
protected_ref
.
errors
,
status: :unprocessable_entity
}
end
render
json:
@protected_ref
.
errors
,
status: :unprocessable_entity
end
end
def
destroy
protected_ref
.
destroy
@
protected_ref
.
destroy
respond_to
do
|
format
|
format
.
html
{
redirect_to_repository_settings
(
@project
)
}
...
...
app/controllers/projects/protected_tags_controller.rb
View file @
f16377e7
class
Projects::ProtectedTagsController
<
Projects
::
ProtectedRefsController
protected
def
protected_ref
@protected_tag
end
def
protected_ref
=
(
val
)
@protected_tag
=
val
end
def
matching_refs
=
(
val
)
@matching_tags
=
val
end
def
project_refs
@project
.
repository
.
tags
end
def
create_service
def
create_service
_class
::
ProtectedTags
::
CreateService
end
def
update_service
def
update_service
_class
::
ProtectedTags
::
UpdateService
end
def
load_protected_ref
self
.
protected_ref
=
@project
.
protected_tags
.
find
(
params
[
:id
])
@
protected_ref
=
@project
.
protected_tags
.
find
(
params
[
:id
])
end
def
protected_ref_params
...
...
app/helpers/branches_helper.rb
View file @
f16377e7
...
...
@@ -29,4 +29,8 @@ module BranchesHelper
def
project_branches
options_for_select
(
@project
.
repository
.
branch_names
,
@project
.
default_branch
)
end
def
protected_branch?
(
project
,
branch
)
ProtectedBranch
.
protected?
(
project
,
branch
.
name
)
end
end
app/models/concerns/protected_branch_access.rb
View file @
f16377e7
...
...
@@ -5,6 +5,7 @@ module ProtectedBranchAccess
include
ProtectedRefAccess
belongs_to
:protected_branch
delegate
:project
,
to: :protected_branch
end
end
app/models/concerns/protected_ref.rb
View file @
f16377e7
...
...
@@ -3,6 +3,7 @@ module ProtectedRef
included
do
belongs_to
:project
validates
:name
,
presence:
true
validates
:project
,
presence:
true
...
...
app/models/concerns/protected_tag_access.rb
View file @
f16377e7
...
...
@@ -5,6 +5,7 @@ module ProtectedTagAccess
include
ProtectedRefAccess
belongs_to
:protected_tag
delegate
:project
,
to: :protected_tag
end
end
app/models/project.rb
View file @
f16377e7
...
...
@@ -134,7 +134,7 @@ class Project < ActiveRecord::Base
has_many
:snippets
,
dependent: :destroy
,
class_name:
'ProjectSnippet'
has_many
:hooks
,
dependent: :destroy
,
class_name:
'ProjectHook'
has_many
:protected_branches
,
dependent: :destroy
has_many
:protected_tags
,
dependent: :destroy
has_many
:protected_tags
,
dependent: :destroy
has_many
:project_authorizations
has_many
:authorized_users
,
through: :project_authorizations
,
source: :user
,
class_name:
'User'
...
...
app/models/protectable_dropdown.rb
View file @
f16377e7
...
...
@@ -6,8 +6,7 @@ class ProtectableDropdown
# Tags/branches which are yet to be individually protected
def
protectable_ref_names
non_wildcard_protections
=
protections
.
reject
(
&
:wildcard?
)
refs
.
map
(
&
:name
)
-
non_wildcard_protections
.
map
(
&
:name
)
@protectable_ref_names
||=
ref_names
-
non_wildcard_protected_ref_names
end
def
hash
...
...
@@ -20,7 +19,15 @@ class ProtectableDropdown
@project
.
repository
.
public_send
(
@ref_type
)
end
def
ref_names
refs
.
map
(
&
:name
)
end
def
protections
@project
.
public_send
(
"protected_
#{
@ref_type
}
"
)
end
def
non_wildcard_protected_ref_names
protections
.
reject
(
&
:wildcard?
).
map
(
&
:name
)
end
end
app/services/protected_branches/update_service.rb
View file @
f16377e7
module
ProtectedBranches
class
UpdateService
<
BaseService
attr_reader
:protected_branch
def
execute
(
protected_branch
)
raise
Gitlab
::
Access
::
AccessDeniedError
unless
can?
(
current_user
,
:admin_project
,
project
)
@protected_branch
=
protected_branch
@protected_branch
.
update
(
params
)
@protected_branch
protected_branch
.
update
(
params
)
protected_branch
end
end
end
app/services/protected_tags/update_service.rb
View file @
f16377e7
module
ProtectedTags
class
UpdateService
<
BaseService
attr_reader
:protected_tag
def
execute
(
protected_tag
)
raise
Gitlab
::
Access
::
AccessDeniedError
unless
can?
(
current_user
,
:admin_project
,
project
)
@protected_tag
=
protected_tag
@protected_tag
.
update
(
params
)
@protected_tag
protected_tag
.
update
(
params
)
protected_tag
end
end
end
app/views/projects/branches/_branch.html.haml
View file @
f16377e7
...
...
@@ -15,7 +15,7 @@
%span
.label.label-info.has-tooltip
{
title:
"Merged into #{@repository.root_ref}"
}
merged
-
if
ProtectedBranch
.
protected?
(
@project
,
branch
.
name
)
-
if
protected_branch?
(
@project
,
branch
)
%span
.label.label-success
protected
.controls.hidden-xs
<
...
...
app/views/projects/protected_branches/show.html.haml
View file @
f16377e7
-
page_title
@protected_
branch
.
name
,
"Protected Branches"
-
page_title
@protected_
ref
.
name
,
"Protected Branches"
.row.prepend-top-default.append-bottom-default
.col-lg-3
%h4
.prepend-top-0
=
@protected_
branch
.
name
=
@protected_
ref
.
name
.col-lg-9
%h5
Matching Branches
-
if
@matching_
branche
s
.
present?
-
if
@matching_
ref
s
.
present?
.table-responsive
%table
.table.protected-branches-list
%colgroup
...
...
@@ -18,7 +18,7 @@
%th
Branch
%th
Last commit
%tbody
-
@matching_
branche
s
.
each
do
|
matching_branch
|
-
@matching_
ref
s
.
each
do
|
matching_branch
|
=
render
partial:
"matching_branch"
,
object:
matching_branch
-
else
%p
.settings-message.text-center
...
...
app/views/projects/protected_tags/show.html.haml
View file @
f16377e7
-
page_title
@protected_
tag
.
name
,
"Protected Tags"
-
page_title
@protected_
ref
.
name
,
"Protected Tags"
.row.prepend-top-default.append-bottom-default
.col-lg-3
%h4
.prepend-top-0
=
@protected_
tag
.
name
=
@protected_
ref
.
name
.col-lg-9
%h5
Matching Tags
-
if
@matching_
tag
s
.
present?
-
if
@matching_
ref
s
.
present?
.table-responsive
%table
.table.protected-tags-list
%colgroup
...
...
@@ -18,7 +18,7 @@
%th
Tag
%th
Last commit
%tbody
-
@matching_
tag
s
.
each
do
|
matching_tag
|
-
@matching_
ref
s
.
each
do
|
matching_tag
|
=
render
partial:
"matching_tag"
,
object:
matching_tag
-
else
%p
.settings-message.text-center
...
...
changelogs/unreleased/18471-restrict-tag-pushes-protected-tags.yml
0 → 100644
View file @
f16377e7
---
title
:
Protected Tags feature
merge_request
:
10356
author
:
db/migrate/20170309173138_create_protected_tags.rb
View file @
f16377e7
class
CreateProtectedTags
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
# Set this constant to true if this migration requires downtime.
DOWNTIME
=
false
GITLAB_ACCESS_MASTER
=
40
...
...
lib/gitlab/checks/change_access.rb
View file @
f16377e7
...
...
@@ -70,14 +70,8 @@ module Gitlab
def
protected_tag_checks
return
unless
tag_protected?
if
update?
return
"Protected tags cannot be updated."
end
if
deletion?
return
"Protected tags cannot be deleted."
end
return
"Protected tags cannot be updated."
if
update?
return
"Protected tags cannot be deleted."
if
deletion?
unless
user_access
.
can_create_tag?
(
@tag_name
)
return
"You are not allowed to create this tag as it is protected."
...
...
spec/controllers/projects/protected_branches_controller_spec.rb
View file @
f16377e7
...
...
@@ -3,6 +3,7 @@ require('spec_helper')
describe
Projects
::
ProtectedBranchesController
do
describe
"GET #index"
do
let
(
:project
)
{
create
(
:project_empty_repo
,
:public
)
}
it
"redirects empty repo to projects page"
do
get
(
:index
,
namespace_id:
project
.
namespace
.
to_param
,
project_id:
project
)
end
...
...
spec/controllers/projects/protected_tags_controller_spec.rb
View file @
f16377e7
...
...
@@ -3,6 +3,7 @@ require('spec_helper')
describe
Projects
::
ProtectedTagsController
do
describe
"GET #index"
do
let
(
:project
)
{
create
(
:project_empty_repo
,
:public
)
}
it
"redirects empty repo to projects page"
do
get
(
:index
,
namespace_id:
project
.
namespace
.
to_param
,
project_id:
project
)
end
...
...
spec/features/protected_branches/access_control_ce_spec.rb
View file @
f16377e7
...
...
@@ -2,7 +2,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
ProtectedBranch
::
PushAccessLevel
.
human_access_levels
.
each
do
|
(
access_type_id
,
access_type_name
)
|
it
"allows creating protected branches that
#{
access_type_name
}
can push to"
do
visit
namespace_project_protected_branches_path
(
project
.
namespace
,
project
)
set_protected_branch_name
(
'master'
)
within
(
'.new_protected_branch'
)
do
allowed_to_push_button
=
find
(
".js-allowed-to-push"
)
...
...
@@ -11,6 +13,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
within
(
".dropdown.open .dropdown-menu"
)
{
click_on
access_type_name
}
end
end
click_on
"Protect"
expect
(
ProtectedBranch
.
count
).
to
eq
(
1
)
...
...
@@ -19,7 +22,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
it
"allows updating protected branches so that
#{
access_type_name
}
can push to them"
do
visit
namespace_project_protected_branches_path
(
project
.
namespace
,
project
)
set_protected_branch_name
(
'master'
)
click_on
"Protect"
expect
(
ProtectedBranch
.
count
).
to
eq
(
1
)
...
...
@@ -34,6 +39,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
end
wait_for_ajax
expect
(
ProtectedBranch
.
last
.
push_access_levels
.
map
(
&
:access_level
)).
to
include
(
access_type_id
)
end
end
...
...
@@ -41,7 +47,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
ProtectedBranch
::
MergeAccessLevel
.
human_access_levels
.
each
do
|
(
access_type_id
,
access_type_name
)
|
it
"allows creating protected branches that
#{
access_type_name
}
can merge to"
do
visit
namespace_project_protected_branches_path
(
project
.
namespace
,
project
)
set_protected_branch_name
(
'master'
)
within
(
'.new_protected_branch'
)
do
allowed_to_merge_button
=
find
(
".js-allowed-to-merge"
)
...
...
@@ -50,6 +58,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
within
(
".dropdown.open .dropdown-menu"
)
{
click_on
access_type_name
}
end
end
click_on
"Protect"
expect
(
ProtectedBranch
.
count
).
to
eq
(
1
)
...
...
@@ -58,7 +67,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
it
"allows updating protected branches so that
#{
access_type_name
}
can merge to them"
do
visit
namespace_project_protected_branches_path
(
project
.
namespace
,
project
)
set_protected_branch_name
(
'master'
)
click_on
"Protect"
expect
(
ProtectedBranch
.
count
).
to
eq
(
1
)
...
...
@@ -73,6 +84,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
end
wait_for_ajax
expect
(
ProtectedBranch
.
last
.
merge_access_levels
.
map
(
&
:access_level
)).
to
include
(
access_type_id
)
end
end
...
...
spec/features/protected_tags/access_control_ce_spec.rb
View file @
f16377e7
...
...
@@ -2,7 +2,9 @@ RSpec.shared_examples "protected tags > access control > CE" do
ProtectedTag
::
CreateAccessLevel
.
human_access_levels
.
each
do
|
(
access_type_id
,
access_type_name
)
|
it
"allows creating protected tags that
#{
access_type_name
}
can create"
do
visit
namespace_project_protected_tags_path
(
project
.
namespace
,
project
)
set_protected_tag_name
(
'master'
)
within
(
'.new_protected_tag'
)
do
allowed_to_create_button
=
find
(
".js-allowed-to-create"
)
...
...
@@ -11,6 +13,7 @@ RSpec.shared_examples "protected tags > access control > CE" do
within
(
".dropdown.open .dropdown-menu"
)
{
click_on
access_type_name
}
end
end
click_on
"Protect"
expect
(
ProtectedTag
.
count
).
to
eq
(
1
)
...
...
@@ -19,7 +22,9 @@ RSpec.shared_examples "protected tags > access control > CE" do
it
"allows updating protected tags so that
#{
access_type_name
}
can create them"
do
visit
namespace_project_protected_tags_path
(
project
.
namespace
,
project
)
set_protected_tag_name
(
'master'
)
click_on
"Protect"
expect
(
ProtectedTag
.
count
).
to
eq
(
1
)
...
...
@@ -34,6 +39,7 @@ RSpec.shared_examples "protected tags > access control > CE" do
end
wait_for_ajax
expect
(
ProtectedTag
.
last
.
create_access_levels
.
map
(
&
:access_level
)).
to
include
(
access_type_id
)
end
end
...
...
spec/models/protectable_dropdown_spec.rb
View file @
f16377e7
...
...
@@ -18,6 +18,7 @@ describe ProtectableDropdown, models: true do
create
(
:protected_branch
,
name:
'feat*'
,
project:
project
)
subject
=
described_class
.
new
(
project
.
reload
,
:branches
)
expect
(
subject
.
protectable_ref_names
).
to
include
(
'feature'
)
end
end
...
...
spec/models/protected_tag_spec.rb
View file @
f16377e7
require
'spec_helper'
describe
ProtectedTag
,
models:
true
do
subject
{
build_stubbed
(
:protected_branch
)
}
describe
'Associations'
do
it
{
is_expected
.
to
belong_to
(
:project
)
}
end
...
...
spec/services/protected_branches/update_service_spec.rb
0 → 100644
View file @
f16377e7
require
'spec_helper'
describe
ProtectedBranches
::
UpdateService
,
services:
true
do
let
(
:protected_branch
)
{
create
(
:protected_branch
)
}
let
(
:project
)
{
protected_branch
.
project
}
let
(
:user
)
{
project
.
owner
}
let
(
:params
)
{
{
name:
'new protected branch name'
}
}
describe
'#execute'
do
subject
(
:service
)
{
described_class
.
new
(
project
,
user
,
params
)
}
it
'updates a protected branch'
do
result
=
service
.
execute
(
protected_branch
)
expect
(
result
.
reload
.
name
).
to
eq
(
params
[
:name
])
end
context
'without admin_project permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
"raises error"
do
expect
{
service
.
execute
(
protected_branch
)
}.
to
raise_error
(
Gitlab
::
Access
::
AccessDeniedError
)
end
end
end
end
spec/services/protected_tags/update_service_spec.rb
0 → 100644
View file @
f16377e7
require
'spec_helper'
describe
ProtectedTags
::
UpdateService
,
services:
true
do
let
(
:protected_tag
)
{
create
(
:protected_tag
)
}
let
(
:project
)
{
protected_tag
.
project
}
let
(
:user
)
{
project
.
owner
}
let
(
:params
)
{
{
name:
'new protected tag name'
}
}
describe
'#execute'
do
subject
(
:service
)
{
described_class
.
new
(
project
,
user
,
params
)
}
it
'updates a protected tag'
do
result
=
service
.
execute
(
protected_tag
)
expect
(
result
.
reload
.
name
).
to
eq
(
params
[
:name
])
end
context
'without admin_project permissions'
do
let
(
:user
)
{
create
(
:user
)
}
it
"raises error"
do
expect
{
service
.
execute
(
protected_tag
)
}.
to
raise_error
(
Gitlab
::
Access
::
AccessDeniedError
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment