Commit f60838ca authored by Jonas Wälter's avatar Jonas Wälter Committed by Imre Farkas

Git over HTTP: bypass admin mode

parent a1033f87
...@@ -17,6 +17,9 @@ module Repositories ...@@ -17,6 +17,9 @@ module Repositories
prepend_before_action :authenticate_user, :parse_repo_path prepend_before_action :authenticate_user, :parse_repo_path
skip_around_action :sessionless_bypass_admin_mode!
around_action :bypass_admin_mode!, if: :authenticated_user
feature_category :source_code_management feature_category :source_code_management
def authenticated_user def authenticated_user
...@@ -136,6 +139,12 @@ module Repositories ...@@ -136,6 +139,12 @@ module Repositories
container && container &&
Guest.can?(repo_type.guest_read_ability, container) Guest.can?(repo_type.guest_read_ability, container)
end end
def bypass_admin_mode!(&block)
return yield unless Gitlab::CurrentSettings.admin_mode
Gitlab::Auth::CurrentUserMode.bypass_session!(authenticated_user.id, &block)
end
end end
end end
......
...@@ -836,6 +836,24 @@ RSpec.describe 'Git HTTP requests' do ...@@ -836,6 +836,24 @@ RSpec.describe 'Git HTTP requests' do
end end
end end
end end
context "when the user is admin" do
let(:admin) { create(:admin) }
let(:env) { { user: admin.username, password: admin.password } }
# Currently, the admin mode is bypassed for git operations.
# Once the admin mode is considered for git operations, this test will fail.
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/296509
context 'when admin mode is enabled', :enable_admin_mode do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
context 'when admin mode is disabled' do
it_behaves_like 'pulls are allowed'
it_behaves_like 'pushes are allowed'
end
end
end end
end end
...@@ -929,10 +947,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -929,10 +947,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is disabled' do context 'when admin mode is disabled' do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
end end
...@@ -1534,10 +1552,10 @@ RSpec.describe 'Git HTTP requests' do ...@@ -1534,10 +1552,10 @@ RSpec.describe 'Git HTTP requests' do
context 'when admin mode is disabled' do context 'when admin mode is disabled' do
it_behaves_like 'can download code only' it_behaves_like 'can download code only'
it 'downloads from other project get status 404' do it 'downloads from other project get status 403' do
clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token clone_get "#{other_project.full_path}.git", user: 'gitlab-ci-token', password: build.token
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment