debian-mirror-gitlab/lib/gitlab/user_access.rb

module Gitlab
  class UserAccess
    extend Gitlab::Cache::RequestCache

    request_cache_key do
      [user&.id, project&.id]
    end

    attr_reader :user, :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
      return false unless can_access_git?

      @permission_cache ||= {}
      @permission_cache[action] ||= user.can?(action, project)
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
      return false unless can_access_git?

      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
      end

      true
    end

    request_cache def can_create_tag?(ref)
      return false unless can_access_git?

      if protected?(ProtectedTag, project, ref)
        protected_tag_accessible_to?(ref, action: :create)
      else
        user.can?(:push_code, project)
      end
    end

    request_cache def can_delete_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        user.can?(:delete_protected_branch, project)
      else
        user.can?(:push_code, project)
      end
    end

    def can_update_branch?(ref)
      can_push_to_branch?(ref) || can_merge_to_branch?(ref)
    end

    request_cache def can_push_to_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)

        protected_branch_accessible_to?(ref, action: :push)
      else
        user.can?(:push_code, project)
      end
    end

    request_cache def can_merge_to_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        protected_branch_accessible_to?(ref, action: :merge)
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
      return false unless can_access_git?

      user.can?(:read_project, project)
    end

    private

    def can_access_git?
      user && user.can?(:access_git)
    end

    def protected_branch_accessible_to?(ref, action:)
      ProtectedBranch.protected_ref_accessible_to?(
        ref, user,
        action: action,
        protected_refs: project.protected_branches)
    end

    def protected_tag_accessible_to?(ref, action:)
      ProtectedTag.protected_ref_accessible_to?(
        ref, user,
        action: action,
        protected_refs: project.protected_tags)
    end

    request_cache def protected?(kind, project, ref)
      kind.protected?(project, ref)
    end
  end
end
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`module Gitlab`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`class UserAccess`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`extend Gitlab::Cache::RequestCache`

			`request_cache_key do`
			`[user&.id, project&.id]`
			`end`

Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`attr_reader :user, :project`

			`def initialize(user, project: nil)`
			`@user = user`
			`@project = project`
			`end`

			`def can_do_action?(action)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`

Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`@permission_cache \|\|= {}`
			`@permission_cache[action] \|\|= user.can?(action, project)`
			`end`

			`def cannot_do_action?(action)`
			`!can_do_action?(action)`
			`end`

			`def allowed?`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`if user.requires_ldap_check? && user.try_obtain_ldap_lease`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`return false unless Gitlab::LDAP::Access.allowed?(user)`
			`end`

			`true`
			`end`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`request_cache def can_create_tag?(ref)`
			`return false unless can_access_git?`

			`if protected?(ProtectedTag, project, ref)`
			`protected_tag_accessible_to?(ref, action: :create)`
			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`request_cache def can_delete_branch?(ref)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`if protected?(ProtectedBranch, project, ref)`
			`user.can?(:delete_protected_branch, project)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`def can_update_branch?(ref)`
			`can_push_to_branch?(ref) \|\| can_merge_to_branch?(ref)`
			`end`

			`request_cache def can_push_to_branch?(ref)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`if protected?(ProtectedBranch, project, ref)`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`protected_branch_accessible_to?(ref, action: :push)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`request_cache def can_merge_to_branch?(ref)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`if protected?(ProtectedBranch, project, ref)`
			`protected_branch_accessible_to?(ref, action: :merge)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_read_project?`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`return false unless can_access_git?`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
			`user.can?(:read_project, project)`
			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`private`

			`def can_access_git?`
			`user && user.can?(:access_git)`
			`end`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
			`def protected_branch_accessible_to?(ref, action:)`
			`ProtectedBranch.protected_ref_accessible_to?(`
			`ref, user,`
			`action: action,`
			`protected_refs: project.protected_branches)`
			`end`

			`def protected_tag_accessible_to?(ref, action:)`
			`ProtectedTag.protected_ref_accessible_to?(`
			`ref, user,`
			`action: action,`
			`protected_refs: project.protected_tags)`
			`end`

			`request_cache def protected?(kind, project, ref)`
			`kind.protected?(project, ref)`
			`end`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`
			`end`