Prevent editing commits if signed commits required

On https://gitlab.com/groups/gitlab-org/-/epics/4983, we want to allow editing commit messages on unprotected branches. Until a better solution is found, we can't edit commit messages that are signed, so if "Required signed commits" option is enabled, this setting shouldn't be enabled. This commits prevents for editing commit setting to be enabled if signed commits is required. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/292493

Prevent editing commits if signed commits required
On https://gitlab.com/groups/gitlab-org/-/epics/4983, we want to allow editing commit messages on unprotected branches. Until a better solution is found, we can't edit commit messages that are signed, so if "Required signed commits" option is enabled, this setting shouldn't be enabled. This commits prevents for editing commit setting to be enabled if signed commits is required. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/292493
bf116855 · Mayra Cabrera · 567263c9 · bf116855 · bf116855 · bf116855
Commit bf116855 authored Jan 08, 2021 by Mayra Cabrera
5 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -94,7 +94,7 @@ class ProjectsController < Projects::ApplicationController
          redirect_to(edit_project_path(@project, anchor: 'js-general-project-settings'))
        end
      else
-        flash.now[:alert] = result[:message]
+        flash[:alert] = result[:message]
        @project.reset

        format.html { render_edit }

--- a/ee/app/models/ee/project_setting.rb
+++ b/ee/app/models/ee/project_setting.rb
@@ -8,6 +8,23 @@ module EE
      belongs_to :push_rule

      scope :has_vulnerabilities, -> { where('has_vulnerabilities IS TRUE') }
+
+      validate :allow_editing_commits
+
+      private
+
+      def allow_editing_commits
+        return unless signed_commits_required?
+
+        error_message = _("can't be enabled because signed commits are required for this project")
+        errors.add(:allow_editing_commit_messages, error_message)
+      end
+
+      def signed_commits_required?
+        return false unless push_rule
+
+        push_rule.reject_unsigned_commits?
+      end
    end
  end
 end
--- a/ee/spec/models/ee/project_setting_spec.rb
+++ b/ee/spec/models/ee/project_setting_spec.rb
@@ -13,4 +13,35 @@ RSpec.describe ProjectSetting do

    it { is_expected.to contain_exactly(setting_1) }
  end
+
+  describe '#allow_editing_commits' do
+    subject(:setting) { build(:project_setting) }
+
+    context 'with a push rule' do
+      context 'when reject unsigned commits is enabled' do
+        it 'prevents editing commits' do
+          setting.build_push_rule
+          setting.push_rule.reject_unsigned_commits = true
+
+          expect(setting).not_to be_valid
+          expect(setting.errors[:allow_editing_commit_messages]).to be_present
+        end
+      end
+
+      context 'when reject unsigned commits is disabled' do
+        it 'allows editing commits' do
+          setting.build_push_rule
+          setting.push_rule.reject_unsigned_commits = false
+
+          expect(setting).to be_valid
+        end
+      end
+    end
+
+    context 'without a push rule' do
+      it 'allows editing commits' do
+        expect(setting).to be_valid
+      end
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -32857,6 +32857,9 @@ msgstr ""
 msgid "can contain only letters of the Base64 alphabet (RFC4648) with the addition of '@', ':' and '.'"
 msgstr ""

+msgid "can't be enabled because signed commits are required for this project"
+msgstr ""
+
 msgid "cannot be a date in the past"
 msgstr ""


--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -616,7 +616,7 @@ RSpec.describe ProjectsController do
          expect { update_project path: 'renamed_path' }
            .not_to change { project.reload.path }

-          expect(controller).to set_flash.now[:alert].to(s_('UpdateProject|Cannot rename project because it contains container registry tags!'))
+          expect(controller).to set_flash[:alert].to(s_('UpdateProject|Cannot rename project because it contains container registry tags!'))
          expect(response).to have_gitlab_http_status(:ok)
        end
      end