user_access.rb 1.84 KB
Newer Older
1
module Gitlab
2 3 4 5 6 7 8 9 10
  class UserAccess
    attr_reader :user, :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
11
      return false unless can_access_git?
12

13 14 15 16 17 18 19 20 21
      @permission_cache ||= {}
      @permission_cache[action] ||= user.can?(action, project)
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
22
      return false unless can_access_git?
23

Jacob Vosmaer's avatar
Jacob Vosmaer committed
24 25
      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
26 27 28 29
      end

      true
    end
30

31
    def can_create_tag?(ref)
32 33
      return false unless can_access_git?

34
      if ProtectedTag.protected?(project, ref)
35
        project.protected_tags.protected_ref_accessible_to?(ref, user, action: :create)
36 37 38 39 40
      else
        user.can?(:push_code, project)
      end
    end

41
    def can_push_to_branch?(ref)
42
      return false unless can_access_git?
43

44
      if ProtectedBranch.protected?(project, ref)
45 46
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)

47
        has_access = project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
48 49

        has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
50 51 52 53 54 55
      else
        user.can?(:push_code, project)
      end
    end

    def can_merge_to_branch?(ref)
56
      return false unless can_access_git?
57

58
      if ProtectedBranch.protected?(project, ref)
59
        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
60 61 62 63 64 65
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
66
      return false unless can_access_git?
67 68 69

      user.can?(:read_project, project)
    end
70 71 72

    private

73 74
    def can_access_git?
      user && user.can?(:access_git)
75
    end
76 77
  end
end