Commit 3152efae authored by Vitali Tatarintev's avatar Vitali Tatarintev

Merge branch 'fj-forbid-push-when-snippet-read-only' into 'master'

Forbid snippet pushes when repo is read-only

See merge request gitlab-org/gitlab!51318
parents 730f868d cac9ac45
---
title: Forbid snippet pushes when repo is read-only
merge_request: 51318
author:
type: fixed
...@@ -59,7 +59,7 @@ module Gitlab ...@@ -59,7 +59,7 @@ module Gitlab
# TODO: Investigate if expanding actor/authentication types are needed. # TODO: Investigate if expanding actor/authentication types are needed.
# https://gitlab.com/gitlab-org/gitlab/issues/202190 # https://gitlab.com/gitlab-org/gitlab/issues/202190
if actor && !allowed_actor? if actor && !allowed_actor?
raise ForbiddenError, ERROR_MESSAGES[:authentication_mechanism] raise ForbiddenError, error_message(:authentication_mechanism)
end end
super super
...@@ -71,14 +71,18 @@ module Gitlab ...@@ -71,14 +71,18 @@ module Gitlab
override :check_push_access! override :check_push_access!
def check_push_access! def check_push_access!
raise ForbiddenError, ERROR_MESSAGES[:update_snippet] unless user raise ForbiddenError, error_message(:update_snippet) unless user
if snippet&.repository_read_only?
raise ForbiddenError, error_message(:read_only)
end
check_change_access! check_change_access!
end end
def check_snippet_accessibility! def check_snippet_accessibility!
if snippet.blank? if snippet.blank?
raise NotFoundError, ERROR_MESSAGES[:snippet_not_found] raise NotFoundError, error_message(:snippet_not_found)
end end
end end
...@@ -94,14 +98,14 @@ module Gitlab ...@@ -94,14 +98,14 @@ module Gitlab
passed = guest_can_download_code? || user_can_download_code? passed = guest_can_download_code? || user_can_download_code?
unless passed unless passed
raise ForbiddenError, ERROR_MESSAGES[:read_snippet] raise ForbiddenError, error_message(:read_snippet)
end end
end end
override :check_change_access! override :check_change_access!
def check_change_access! def check_change_access!
unless user_can_push? unless user_can_push?
raise ForbiddenError, ERROR_MESSAGES[:update_snippet] raise ForbiddenError, error_message(:update_snippet)
end end
check_size_before_push! check_size_before_push!
......
...@@ -29,8 +29,17 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -29,8 +29,17 @@ RSpec.describe Gitlab::GitAccessSnippet do
let(:actor) { build(:deploy_key) } let(:actor) { build(:deploy_key) }
it 'does not allow push and pull access' do it 'does not allow push and pull access' do
expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:authentication_mechanism]) expect { push_access_check }.to raise_forbidden(:authentication_mechanism)
expect { pull_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:authentication_mechanism]) expect { pull_access_check }.to raise_forbidden(:authentication_mechanism)
end
end
describe 'when snippet repository is read-only' do
it 'does not allow push and allows pull access' do
allow(snippet).to receive(:repository_read_only?).and_return(true)
expect { push_access_check }.to raise_forbidden(:read_only)
expect { pull_access_check }.not_to raise_error
end end
end end
...@@ -58,7 +67,7 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -58,7 +67,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
let(:snippet) { nil } let(:snippet) { nil }
it 'blocks access with "not found"' do it 'blocks access with "not found"' do
expect { pull_access_check }.to raise_snippet_not_found expect { pull_access_check }.to raise_not_found(:snippet_not_found)
end end
end end
...@@ -66,7 +75,7 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -66,7 +75,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
let(:snippet) { build_stubbed(:personal_snippet) } let(:snippet) { build_stubbed(:personal_snippet) }
it 'blocks access with "not found"' do it 'blocks access with "not found"' do
expect { pull_access_check }.to raise_snippet_not_found expect { pull_access_check }.to raise_not_found(:no_repo)
end end
end end
end end
...@@ -81,8 +90,8 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -81,8 +90,8 @@ RSpec.describe Gitlab::GitAccessSnippet do
it 'blocks access when the user did not accept terms' do it 'blocks access when the user did not accept terms' do
message = /must accept the Terms of Service in order to perform this action/ message = /must accept the Terms of Service in order to perform this action/
expect { push_access_check }.to raise_forbidden(message) expect { push_access_check }.to raise_forbidden_with_message(message)
expect { pull_access_check }.to raise_forbidden(message) expect { pull_access_check }.to raise_forbidden_with_message(message)
end end
it 'allows access when the user accepted the terms' do it 'allows access when the user accepted the terms' do
...@@ -149,8 +158,8 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -149,8 +158,8 @@ RSpec.describe Gitlab::GitAccessSnippet do
let(:membership) { membership } let(:membership) { membership }
it 'respects accessibility' do it 'respects accessibility' do
expect { push_access_check }.to raise_snippet_not_found expect { push_access_check }.to raise_not_found(:project_not_found)
expect { pull_access_check }.to raise_snippet_not_found expect { pull_access_check }.to raise_not_found(:project_not_found)
end end
end end
end end
...@@ -273,7 +282,7 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -273,7 +282,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
allow(check).to receive(:validate!).and_raise(Gitlab::GitAccess::ForbiddenError, 'foo') allow(check).to receive(:validate!).and_raise(Gitlab::GitAccess::ForbiddenError, 'foo')
end end
expect { push_access_check }.to raise_forbidden('foo') expect { push_access_check }.to raise_forbidden_with_message('foo')
end end
it 'sets the file count limit from Snippet class' do it 'sets the file count limit from Snippet class' do
...@@ -424,15 +433,15 @@ RSpec.describe Gitlab::GitAccessSnippet do ...@@ -424,15 +433,15 @@ RSpec.describe Gitlab::GitAccessSnippet do
private private
def raise_snippet_not_found def raise_not_found(message_key)
raise_error(Gitlab::GitAccess::NotFoundError, Gitlab::GitAccess::ERROR_MESSAGES[:snippet_not_found]) raise_error(described_class::NotFoundError, described_class.error_message(message_key))
end end
def raise_project_not_found def raise_forbidden(message_key)
raise_error(Gitlab::GitAccess::NotFoundError, Gitlab::GitAccess::ERROR_MESSAGES[:project_not_found]) raise_error(Gitlab::GitAccess::ForbiddenError, described_class.error_message(message_key))
end end
def raise_forbidden(message) def raise_forbidden_with_message(message)
raise_error(Gitlab::GitAccess::ForbiddenError, message) raise_error(Gitlab::GitAccess::ForbiddenError, message)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment