Merge branch 'prevent-editing-commits-if-unsigned-commits-is-enabled' into 'master'

Prevent editing commits if signed commits required See merge request gitlab-org/gitlab!51235

Merge branch 'prevent-editing-commits-if-unsigned-commits-is-enabled' into 'master'
Prevent editing commits if signed commits required See merge request gitlab-org/gitlab!51235
141b45f3 · Ash McKenzie · a5bff668 · bf116855 · 141b45f3 · 141b45f3
Commit 141b45f3 authored Jan 13, 2021 by Ash McKenzie
5 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -94,7 +94,7 @@ class ProjectsController < Projects::ApplicationController
          redirect_to(edit_project_path(@project, anchor: 'js-general-project-settings'))
        end
      else
-        flash.now[:alert] = result[:message]
+        flash[:alert] = result[:message]
        @project.reset

        format.html { render_edit }

--- a/ee/app/models/ee/project_setting.rb
+++ b/ee/app/models/ee/project_setting.rb
@@ -8,6 +8,23 @@ module EE
      belongs_to :push_rule

      scope :has_vulnerabilities, -> { where('has_vulnerabilities IS TRUE') }
+
+      validate :allow_editing_commits
+
+      private
+
+      def allow_editing_commits
+        return unless signed_commits_required?
+
+        error_message = _("can't be enabled because signed commits are required for this project")
+        errors.add(:allow_editing_commit_messages, error_message)
+      end
+
+      def signed_commits_required?
+        return false unless push_rule
+
+        push_rule.reject_unsigned_commits?
+      end
    end
  end
 end
--- a/ee/spec/models/ee/project_setting_spec.rb
+++ b/ee/spec/models/ee/project_setting_spec.rb
@@ -13,4 +13,35 @@ RSpec.describe ProjectSetting do

    it { is_expected.to contain_exactly(setting_1) }
  end
+
+  describe '#allow_editing_commits' do
+    subject(:setting) { build(:project_setting) }
+
+    context 'with a push rule' do
+      context 'when reject unsigned commits is enabled' do
+        it 'prevents editing commits' do
+          setting.build_push_rule
+          setting.push_rule.reject_unsigned_commits = true
+
+          expect(setting).not_to be_valid
+          expect(setting.errors[:allow_editing_commit_messages]).to be_present
+        end
+      end
+
+      context 'when reject unsigned commits is disabled' do
+        it 'allows editing commits' do
+          setting.build_push_rule
+          setting.push_rule.reject_unsigned_commits = false
+
+          expect(setting).to be_valid
+        end
+      end
+    end
+
+    context 'without a push rule' do
+      it 'allows editing commits' do
+        expect(setting).to be_valid
+      end
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -32938,6 +32938,9 @@ msgstr ""
 msgid "can contain only letters of the Base64 alphabet (RFC4648) with the addition of '@', ':' and '.'"
 msgstr ""

+msgid "can't be enabled because signed commits are required for this project"
+msgstr ""
+
 msgid "cannot be a date in the past"
 msgstr ""


--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -616,7 +616,7 @@ RSpec.describe ProjectsController do
          expect { update_project path: 'renamed_path' }
            .not_to change { project.reload.path }

-          expect(controller).to set_flash.now[:alert].to(s_('UpdateProject|Cannot rename project because it contains container registry tags!'))
+          expect(controller).to set_flash[:alert].to(s_('UpdateProject|Cannot rename project because it contains container registry tags!'))
          expect(response).to have_gitlab_http_status(:ok)
        end
      end