Commit 19672217 authored by Tan Le's avatar Tan Le

Remove push rule locks on group and project level

When group level push rules are checked, the children project level ones
are locked but the values are not checked. This behavior leaves the
permission in inconsistent states. The same issue is also observed
between instance level and group level push rules.

This commit remove locks imposed by instance level and group level on
the lower lever push rules.
parent 39a42292
...@@ -98,16 +98,6 @@ module EE ...@@ -98,16 +98,6 @@ module EE
@subject.saml_group_sync_available? @subject.saml_group_sync_available?
end end
with_scope :global
condition(:commit_committer_check_disabled_globally) do
!PushRule.global&.commit_committer_check
end
with_scope :global
condition(:reject_unsigned_commits_disabled_globally) do
!PushRule.global&.reject_unsigned_commits
end
condition(:commit_committer_check_available) do condition(:commit_committer_check_available) do
@subject.feature_available?(:commit_committer_check) @subject.feature_available?(:commit_committer_check)
end end
...@@ -329,9 +319,7 @@ module EE ...@@ -329,9 +319,7 @@ module EE
prevent(:download_wiki_code) prevent(:download_wiki_code)
end end
rule { admin | (commit_committer_check_disabled_globally & can?(:maintainer_access)) }.policy do rule { admin | maintainer }.enable :change_commit_committer_check
enable :change_commit_committer_check
end
rule { commit_committer_check_available }.policy do rule { commit_committer_check_available }.policy do
enable :read_commit_committer_check enable :read_commit_committer_check
...@@ -341,7 +329,7 @@ module EE ...@@ -341,7 +329,7 @@ module EE
prevent :change_commit_committer_check prevent :change_commit_committer_check
end end
rule { admin | (reject_unsigned_commits_disabled_globally & can?(:maintainer_access)) }.enable :change_reject_unsigned_commits rule { admin | maintainer }.enable :change_reject_unsigned_commits
rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits
......
...@@ -23,16 +23,6 @@ module EE ...@@ -23,16 +23,6 @@ module EE
with_scope :global with_scope :global
condition(:is_development) { Rails.env.development? } condition(:is_development) { Rails.env.development? }
with_scope :global
condition(:reject_unsigned_commits_disabled_globally) do
!PushRule.global&.reject_unsigned_commits
end
with_scope :global
condition(:commit_committer_check_disabled_globally) do
!PushRule.global&.commit_committer_check
end
with_scope :global with_scope :global
condition(:locked_approvers_rules) do condition(:locked_approvers_rules) do
License.feature_available?(:admin_merge_request_approvers_rules) && License.feature_available?(:admin_merge_request_approvers_rules) &&
...@@ -74,42 +64,11 @@ module EE ...@@ -74,42 +64,11 @@ module EE
group_push_rules_enabled? && subject.group.push_rule group_push_rules_enabled? && subject.group.push_rule
end end
with_scope :subject
condition(:reject_unsigned_commits_disabled_by_group) do
if group_push_rule_present?
!subject.group.push_rule.reject_unsigned_commits
else
true
end
end
condition(:can_change_reject_unsigned_commits) do
admin? ||
(can?(:maintainer_access) &&
reject_unsigned_commits_disabled_globally? &&
reject_unsigned_commits_disabled_by_group?)
end
condition(:commit_committer_check_disabled_by_group) do
if group_push_rule_present?
!subject.group.push_rule.commit_committer_check
else
true
end
end
with_scope :subject with_scope :subject
condition(:commit_committer_check_available) do condition(:commit_committer_check_available) do
@subject.feature_available?(:commit_committer_check) @subject.feature_available?(:commit_committer_check)
end end
condition(:can_change_commit_commiter_check) do
admin? ||
(can?(:maintainer_access) &&
commit_committer_check_disabled_globally? &&
commit_committer_check_disabled_by_group?)
end
with_scope :subject with_scope :subject
condition(:reject_unsigned_commits_available) do condition(:reject_unsigned_commits_available) do
@subject.feature_available?(:reject_unsigned_commits) @subject.feature_available?(:reject_unsigned_commits)
...@@ -322,13 +281,13 @@ module EE ...@@ -322,13 +281,13 @@ module EE
rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
rule { can_change_reject_unsigned_commits }.enable :change_reject_unsigned_commits rule { admin | maintainer }.enable :change_reject_unsigned_commits
rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits
rule { ~reject_unsigned_commits_available }.prevent :change_reject_unsigned_commits rule { ~reject_unsigned_commits_available }.prevent :change_reject_unsigned_commits
rule { can_change_commit_commiter_check }.enable :change_commit_committer_check rule { admin | maintainer }.enable :change_commit_committer_check
rule { commit_committer_check_available }.enable :read_commit_committer_check rule { commit_committer_check_available }.enable :read_commit_committer_check
......
---
title: Remove push rules locks on group and project level
merge_request: 58195
author:
type: fixed
...@@ -970,29 +970,17 @@ RSpec.describe GroupPolicy do ...@@ -970,29 +970,17 @@ RSpec.describe GroupPolicy do
stub_licensed_features(commit_committer_check: true) stub_licensed_features(commit_committer_check: true)
end end
context 'the user is a maintainer' do context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { maintainer } let(:current_user) { admin }
it { is_expected.to be_allowed(:change_commit_committer_check) } it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
context 'the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, commit_committer_check: true)
end
context 'the user is a maintainer' do context 'the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) } it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
...@@ -1003,7 +991,6 @@ RSpec.describe GroupPolicy do ...@@ -1003,7 +991,6 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
end end
end
context 'reject_unsigned_commits is not enabled by the current license' do context 'reject_unsigned_commits is not enabled by the current license' do
before do before do
...@@ -1021,29 +1008,17 @@ RSpec.describe GroupPolicy do ...@@ -1021,29 +1008,17 @@ RSpec.describe GroupPolicy do
stub_licensed_features(reject_unsigned_commits: true) stub_licensed_features(reject_unsigned_commits: true)
end end
context 'the user is a maintainer' do context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { maintainer } let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) } it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
context 'the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, reject_unsigned_commits: true)
end
context 'the user is a maintainer' do context 'the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) } it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
...@@ -1053,14 +1028,6 @@ RSpec.describe GroupPolicy do ...@@ -1053,14 +1028,6 @@ RSpec.describe GroupPolicy do
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) } it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
context 'the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
end
end end
shared_examples 'analytics policy' do |action| shared_examples 'analytics policy' do |action|
......
...@@ -1126,60 +1126,27 @@ RSpec.describe ProjectPolicy do ...@@ -1126,60 +1126,27 @@ RSpec.describe ProjectPolicy do
stub_licensed_features(commit_committer_check: true) stub_licensed_features(commit_committer_check: true)
end end
context 'the user is a maintainer' do context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { maintainer } let(:current_user) { admin }
it { is_expected.to be_allowed(:change_commit_committer_check) } it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
context 'the user is a developer' do context 'the user is a maintainer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, commit_committer_check: true)
end
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
end
context 'it is enabled on group level' do
let(:push_rule) { create(:push_rule, commit_committer_check: true) }
let(:group) { create(:group, push_rule: push_rule) }
let(:project) { create(:project, namespace_id: group.id) }
context 'when the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) } it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
context 'when the user is a developer' do context 'the user is a developer' do
let(:current_user) { developer } let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) } it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
end end
end
context 'reject_unsigned_commits is not enabled by the current license' do context 'reject_unsigned_commits is not enabled by the current license' do
before do before do
...@@ -1197,49 +1164,17 @@ RSpec.describe ProjectPolicy do ...@@ -1197,49 +1164,17 @@ RSpec.describe ProjectPolicy do
stub_licensed_features(reject_unsigned_commits: true) stub_licensed_features(reject_unsigned_commits: true)
end end
context 'when the user is a maintainer' do context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { maintainer } let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) } it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, reject_unsigned_commits: true)
end
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
end
context 'it is enabled on group level' do
let(:push_rule) { create(:push_rule_without_project, reject_unsigned_commits: true) }
let(:group) { create(:group, push_rule: push_rule) }
let(:project) { create(:project, namespace_id: group.id) }
context 'when the user is a maintainer' do context 'when the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) } it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
...@@ -1250,7 +1185,6 @@ RSpec.describe ProjectPolicy do ...@@ -1250,7 +1185,6 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
end end
end
context 'when dora4 analytics is available' do context 'when dora4 analytics is available' do
let(:current_user) { developer } let(:current_user) { developer }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment