2016-08-24 12:49:21 +05:30
module Gitlab
module Checks
class ChangeAccess
2017-09-10 17:25:29 +05:30
ERROR_MESSAGES = {
push_code : 'You are not allowed to push code to this project.' ,
delete_default_branch : 'The default branch of a project cannot be deleted.' ,
force_push_protected_branch : 'You are not allowed to force push code to a protected branch on this project.' ,
non_master_delete_protected_branch : 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.' ,
non_web_delete_protected_branch : 'You can only delete protected branches using the web interface.' ,
merge_protected_branch : 'You are not allowed to merge code into protected branches on this project.' ,
push_protected_branch : 'You are not allowed to push code to protected branches on this project.' ,
change_existing_tags : 'You are not allowed to change existing tags on this project.' ,
update_protected_tag : 'Protected tags cannot be updated.' ,
delete_protected_tag : 'Protected tags cannot be deleted.' ,
create_protected_tag : 'You are not allowed to create this tag as it is protected.'
} . freeze
2017-08-17 22:00:37 +05:30
attr_reader :user_access , :project , :skip_authorization , :protocol
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
def initialize (
change , user_access : , project : , skip_authorization : false ,
protocol :
)
2016-09-13 17:45:13 +05:30
@oldrev , @newrev , @ref = change . values_at ( :oldrev , :newrev , :ref )
@branch_name = Gitlab :: Git . branch_name ( @ref )
2017-08-17 22:00:37 +05:30
@tag_name = Gitlab :: Git . tag_name ( @ref )
2016-08-24 12:49:21 +05:30
@user_access = user_access
@project = project
2017-08-17 22:00:37 +05:30
@skip_authorization = skip_authorization
@protocol = protocol
2016-08-24 12:49:21 +05:30
end
def exec
2017-09-10 17:25:29 +05:30
return true if skip_authorization
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
push_checks
branch_checks
tag_checks
true
2016-08-24 12:49:21 +05:30
end
protected
2017-09-10 17:25:29 +05:30
def push_checks
if user_access . cannot_do_action? ( :push_code )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :push_code ]
end
end
def branch_checks
2016-09-29 09:46:39 +05:30
return unless @branch_name
2017-09-10 17:25:29 +05:30
if deletion? && @branch_name == project . default_branch
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :delete_default_branch ]
end
protected_branch_checks
end
def protected_branch_checks
2017-08-17 22:00:37 +05:30
return unless ProtectedBranch . protected? ( project , @branch_name )
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
if forced_push?
2017-09-10 17:25:29 +05:30
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :force_push_protected_branch ]
2016-08-24 12:49:21 +05:30
end
2017-09-10 17:25:29 +05:30
if deletion?
protected_branch_deletion_checks
else
protected_branch_push_checks
end
end
def protected_branch_deletion_checks
unless user_access . can_delete_branch? ( @branch_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :non_master_delete_protected_branch ]
end
unless protocol == 'web'
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :non_web_delete_protected_branch ]
end
end
def protected_branch_push_checks
2016-08-24 12:49:21 +05:30
if matching_merge_request?
2017-09-10 17:25:29 +05:30
unless user_access . can_merge_to_branch? ( @branch_name ) || user_access . can_push_to_branch? ( @branch_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :merge_protected_branch ]
2016-08-24 12:49:21 +05:30
end
else
2017-09-10 17:25:29 +05:30
unless user_access . can_push_to_branch? ( @branch_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :push_protected_branch ]
2016-08-24 12:49:21 +05:30
end
end
end
def tag_checks
2017-08-17 22:00:37 +05:30
return unless @tag_name
if tag_exists? && user_access . cannot_do_action? ( :admin_project )
2017-09-10 17:25:29 +05:30
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :change_existing_tags ]
2016-08-24 12:49:21 +05:30
end
2017-08-17 22:00:37 +05:30
protected_tag_checks
end
def protected_tag_checks
2017-09-10 17:25:29 +05:30
return unless ProtectedTag . protected? ( project , @tag_name )
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
raise ( GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :update_protected_tag ] ) if update?
raise ( GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :delete_protected_tag ] ) if deletion?
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
unless user_access . can_create_tag? ( @tag_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :create_protected_tag ]
2016-08-24 12:49:21 +05:30
end
end
private
2017-08-17 22:00:37 +05:30
def tag_exists?
project . repository . tag_exists? ( @tag_name )
2016-08-24 12:49:21 +05:30
end
def forced_push?
Gitlab :: Checks :: ForcePush . force_push? ( @project , @oldrev , @newrev )
end
2017-08-17 22:00:37 +05:30
def update?
! Gitlab :: Git . blank_ref? ( @oldrev ) && ! deletion?
end
def deletion?
Gitlab :: Git . blank_ref? ( @newrev )
end
2016-08-24 12:49:21 +05:30
def matching_merge_request?
Checks :: MatchingMergeRequest . new ( @newrev , @branch_name , @project ) . match?
end
end
end
end
