Commit fef90e53 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch...

Merge branch '301116-group-push-permissions-can-enforce-project-level-insecure-settings' into 'master'

Remove push rules lock on group and project level

See merge request gitlab-org/gitlab!58195
parents d6285430 19672217
...@@ -98,16 +98,6 @@ module EE ...@@ -98,16 +98,6 @@ module EE
@subject.saml_group_sync_available? @subject.saml_group_sync_available?
end end
with_scope :global
condition(:commit_committer_check_disabled_globally) do
!PushRule.global&.commit_committer_check
end
with_scope :global
condition(:reject_unsigned_commits_disabled_globally) do
!PushRule.global&.reject_unsigned_commits
end
condition(:commit_committer_check_available) do condition(:commit_committer_check_available) do
@subject.feature_available?(:commit_committer_check) @subject.feature_available?(:commit_committer_check)
end end
...@@ -329,9 +319,7 @@ module EE ...@@ -329,9 +319,7 @@ module EE
prevent(:download_wiki_code) prevent(:download_wiki_code)
end end
rule { admin | (commit_committer_check_disabled_globally & can?(:maintainer_access)) }.policy do rule { admin | maintainer }.enable :change_commit_committer_check
enable :change_commit_committer_check
end
rule { commit_committer_check_available }.policy do rule { commit_committer_check_available }.policy do
enable :read_commit_committer_check enable :read_commit_committer_check
...@@ -341,7 +329,7 @@ module EE ...@@ -341,7 +329,7 @@ module EE
prevent :change_commit_committer_check prevent :change_commit_committer_check
end end
rule { admin | (reject_unsigned_commits_disabled_globally & can?(:maintainer_access)) }.enable :change_reject_unsigned_commits rule { admin | maintainer }.enable :change_reject_unsigned_commits
rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits
......
...@@ -23,16 +23,6 @@ module EE ...@@ -23,16 +23,6 @@ module EE
with_scope :global with_scope :global
condition(:is_development) { Rails.env.development? } condition(:is_development) { Rails.env.development? }
with_scope :global
condition(:reject_unsigned_commits_disabled_globally) do
!PushRule.global&.reject_unsigned_commits
end
with_scope :global
condition(:commit_committer_check_disabled_globally) do
!PushRule.global&.commit_committer_check
end
with_scope :global with_scope :global
condition(:locked_approvers_rules) do condition(:locked_approvers_rules) do
License.feature_available?(:admin_merge_request_approvers_rules) && License.feature_available?(:admin_merge_request_approvers_rules) &&
...@@ -74,42 +64,11 @@ module EE ...@@ -74,42 +64,11 @@ module EE
group_push_rules_enabled? && subject.group.push_rule group_push_rules_enabled? && subject.group.push_rule
end end
with_scope :subject
condition(:reject_unsigned_commits_disabled_by_group) do
if group_push_rule_present?
!subject.group.push_rule.reject_unsigned_commits
else
true
end
end
condition(:can_change_reject_unsigned_commits) do
admin? ||
(can?(:maintainer_access) &&
reject_unsigned_commits_disabled_globally? &&
reject_unsigned_commits_disabled_by_group?)
end
condition(:commit_committer_check_disabled_by_group) do
if group_push_rule_present?
!subject.group.push_rule.commit_committer_check
else
true
end
end
with_scope :subject with_scope :subject
condition(:commit_committer_check_available) do condition(:commit_committer_check_available) do
@subject.feature_available?(:commit_committer_check) @subject.feature_available?(:commit_committer_check)
end end
condition(:can_change_commit_commiter_check) do
admin? ||
(can?(:maintainer_access) &&
commit_committer_check_disabled_globally? &&
commit_committer_check_disabled_by_group?)
end
with_scope :subject with_scope :subject
condition(:reject_unsigned_commits_available) do condition(:reject_unsigned_commits_available) do
@subject.feature_available?(:reject_unsigned_commits) @subject.feature_available?(:reject_unsigned_commits)
...@@ -322,13 +281,13 @@ module EE ...@@ -322,13 +281,13 @@ module EE
rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
rule { can_change_reject_unsigned_commits }.enable :change_reject_unsigned_commits rule { admin | maintainer }.enable :change_reject_unsigned_commits
rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits rule { reject_unsigned_commits_available }.enable :read_reject_unsigned_commits
rule { ~reject_unsigned_commits_available }.prevent :change_reject_unsigned_commits rule { ~reject_unsigned_commits_available }.prevent :change_reject_unsigned_commits
rule { can_change_commit_commiter_check }.enable :change_commit_committer_check rule { admin | maintainer }.enable :change_commit_committer_check
rule { commit_committer_check_available }.enable :read_commit_committer_check rule { commit_committer_check_available }.enable :read_commit_committer_check
......
---
title: Remove push rules locks on group and project level
merge_request: 58195
author:
type: fixed
...@@ -970,6 +970,13 @@ RSpec.describe GroupPolicy do ...@@ -970,6 +970,13 @@ RSpec.describe GroupPolicy do
stub_licensed_features(commit_committer_check: true) stub_licensed_features(commit_committer_check: true)
end end
context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'the user is a maintainer' do context 'the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -983,26 +990,6 @@ RSpec.describe GroupPolicy do ...@@ -983,26 +990,6 @@ RSpec.describe GroupPolicy do
it { is_expected.not_to be_allowed(:change_commit_committer_check) } it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, commit_committer_check: true)
end
context 'the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
end
end end
context 'reject_unsigned_commits is not enabled by the current license' do context 'reject_unsigned_commits is not enabled by the current license' do
...@@ -1021,6 +1008,13 @@ RSpec.describe GroupPolicy do ...@@ -1021,6 +1008,13 @@ RSpec.describe GroupPolicy do
stub_licensed_features(reject_unsigned_commits: true) stub_licensed_features(reject_unsigned_commits: true)
end end
context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'the user is a maintainer' do context 'the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -1034,33 +1028,6 @@ RSpec.describe GroupPolicy do ...@@ -1034,33 +1028,6 @@ RSpec.describe GroupPolicy do
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) } it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, reject_unsigned_commits: true)
end
context 'the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
end
end end
shared_examples 'analytics policy' do |action| shared_examples 'analytics policy' do |action|
......
...@@ -1126,6 +1126,13 @@ RSpec.describe ProjectPolicy do ...@@ -1126,6 +1126,13 @@ RSpec.describe ProjectPolicy do
stub_licensed_features(commit_committer_check: true) stub_licensed_features(commit_committer_check: true)
end end
context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'the user is a maintainer' do context 'the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -1139,46 +1146,6 @@ RSpec.describe ProjectPolicy do ...@@ -1139,46 +1146,6 @@ RSpec.describe ProjectPolicy do
it { is_expected.not_to be_allowed(:change_commit_committer_check) } it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) } it { is_expected.to be_allowed(:read_commit_committer_check) }
end end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, commit_committer_check: true)
end
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
end
context 'it is enabled on group level' do
let(:push_rule) { create(:push_rule, commit_committer_check: true) }
let(:group) { create(:group, push_rule: push_rule) }
let(:project) { create(:project, namespace_id: group.id) }
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_commit_committer_check) }
it { is_expected.to be_allowed(:read_commit_committer_check) }
end
end
end end
context 'reject_unsigned_commits is not enabled by the current license' do context 'reject_unsigned_commits is not enabled by the current license' do
...@@ -1197,6 +1164,13 @@ RSpec.describe ProjectPolicy do ...@@ -1197,6 +1164,13 @@ RSpec.describe ProjectPolicy do
stub_licensed_features(reject_unsigned_commits: true) stub_licensed_features(reject_unsigned_commits: true)
end end
context 'when the user is an admin', :enable_admin_mode do
let(:current_user) { admin }
it { is_expected.to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'when the user is a maintainer' do context 'when the user is a maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -1210,46 +1184,6 @@ RSpec.describe ProjectPolicy do ...@@ -1210,46 +1184,6 @@ RSpec.describe ProjectPolicy do
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) } it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) } it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end end
context 'it is enabled on global level' do
before do
create(:push_rule_sample, reject_unsigned_commits: true)
end
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
end
context 'it is enabled on group level' do
let(:push_rule) { create(:push_rule_without_project, reject_unsigned_commits: true) }
let(:group) { create(:group, push_rule: push_rule) }
let(:project) { create(:project, namespace_id: group.id) }
context 'when the user is a maintainer' do
let(:current_user) { maintainer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
context 'when the user is a developer' do
let(:current_user) { developer }
it { is_expected.not_to be_allowed(:change_reject_unsigned_commits) }
it { is_expected.to be_allowed(:read_reject_unsigned_commits) }
end
end
end end
context 'when dora4 analytics is available' do context 'when dora4 analytics is available' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment