debian-mirror-gitlab/lib/gitlab/git_access_snippet.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

141 lines
3.7 KiB
Ruby
Raw Normal View History

2020-03-13 15:44:24 +05:30
# frozen_string_literal: true
module Gitlab
class GitAccessSnippet < GitAccess
2020-04-08 14:13:33 +05:30
extend ::Gitlab::Utils::Override
2020-03-13 15:44:24 +05:30
ERROR_MESSAGES = {
2020-04-08 14:13:33 +05:30
authentication_mechanism: 'The authentication mechanism is not supported.',
read_snippet: 'You are not allowed to read this snippet.',
update_snippet: 'You are not allowed to update this snippet.',
2020-03-13 15:44:24 +05:30
snippet_not_found: 'The snippet you were looking for could not be found.',
2020-10-24 23:57:45 +05:30
no_repo: 'The snippet repository you were looking for could not be found.'
2020-03-13 15:44:24 +05:30
}.freeze
2020-10-24 23:57:45 +05:30
alias_method :snippet, :container
2020-04-22 19:07:51 +05:30
2020-03-13 15:44:24 +05:30
def initialize(actor, snippet, protocol, **kwargs)
2020-10-24 23:57:45 +05:30
super(actor, snippet, protocol, **kwargs)
2020-04-08 14:13:33 +05:30
@auth_result_type = nil
@authentication_abilities &= [:download_code, :push_code]
2020-03-13 15:44:24 +05:30
end
2021-01-03 14:25:43 +05:30
override :project
def project
container.project if container.is_a?(ProjectSnippet)
end
2020-10-24 23:57:45 +05:30
override :check
2020-04-08 14:13:33 +05:30
def check(cmd, changes)
2020-03-13 15:44:24 +05:30
check_snippet_accessibility!
2022-05-07 20:08:51 +05:30
super
2020-03-13 15:44:24 +05:30
end
2020-10-24 23:57:45 +05:30
override :download_ability
def download_ability
:read_snippet
end
override :push_ability
def push_ability
:update_snippet
end
2020-04-08 14:13:33 +05:30
private
2020-10-24 23:57:45 +05:30
# TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629
override :check_custom_action
def check_custom_action
# snippets never return custom actions, such as geo replication.
end
2020-06-23 00:09:42 +05:30
2020-10-24 23:57:45 +05:30
override :check_valid_actor!
def check_valid_actor!
# TODO: Investigate if expanding actor/authentication types are needed.
# https://gitlab.com/gitlab-org/gitlab/issues/202190
2021-01-03 14:25:43 +05:30
if actor && !allowed_actor?
2021-03-08 18:12:59 +05:30
raise ForbiddenError, error_message(:authentication_mechanism)
2020-10-24 23:57:45 +05:30
end
2020-04-08 14:13:33 +05:30
2020-06-23 00:09:42 +05:30
super
2020-03-13 15:44:24 +05:30
end
2021-01-03 14:25:43 +05:30
def allowed_actor?
actor.is_a?(User) || actor.instance_of?(Key)
2020-10-24 23:57:45 +05:30
end
2020-04-08 14:13:33 +05:30
override :check_push_access!
def check_push_access!
2021-03-08 18:12:59 +05:30
raise ForbiddenError, error_message(:update_snippet) unless user
if snippet&.repository_read_only?
raise ForbiddenError, error_message(:read_only)
end
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
check_change_access!
end
2020-03-13 15:44:24 +05:30
def check_snippet_accessibility!
if snippet.blank?
2021-03-08 18:12:59 +05:30
raise NotFoundError, error_message(:snippet_not_found)
2020-03-13 15:44:24 +05:30
end
2020-04-08 14:13:33 +05:30
end
2020-03-13 15:44:24 +05:30
2020-05-24 23:13:21 +05:30
override :can_read_project?
def can_read_project?
return true if user&.migration_bot?
super
end
2022-07-23 23:45:48 +05:30
override :can_download?
def can_download?
guest_can_download? || user_can_download?
end
2020-04-08 14:13:33 +05:30
2022-07-23 23:45:48 +05:30
override :download_forbidden_message
def download_forbidden_message
error_message(:read_snippet)
2020-04-08 14:13:33 +05:30
end
override :check_change_access!
def check_change_access!
2020-10-24 23:57:45 +05:30
unless user_can_push?
2021-03-08 18:12:59 +05:30
raise ForbiddenError, error_message(:update_snippet)
2020-04-08 14:13:33 +05:30
end
2020-04-22 19:07:51 +05:30
check_size_before_push!
2021-09-04 01:27:46 +05:30
check_access!
check_push_size!
end
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
override :check_access!
def check_access!
2020-04-08 14:13:33 +05:30
changes_list.each do |change|
# If user does not have access to make at least one change, cancel all
# push by allowing the exception to bubble up
2021-09-04 01:27:46 +05:30
Checks::SnippetCheck.new(change, default_branch: snippet.default_branch, root_ref: snippet.repository.root_ref, logger: logger).validate!
Checks::PushFileCountCheck.new(change, repository: repository, limit: Snippet.max_file_limit, logger: logger).validate!
2020-04-08 14:13:33 +05:30
end
rescue Checks::TimedLogger::TimeoutError
raise TimeoutError, logger.full_message
end
override :user_access
def user_access
@user_access ||= UserAccessSnippet.new(user, snippet: snippet)
end
2020-05-24 23:13:21 +05:30
override :check_size_limit?
def check_size_limit?
return false if user&.migration_bot?
super
end
2020-03-13 15:44:24 +05:30
end
end
2021-01-03 14:25:43 +05:30
2021-06-08 01:23:25 +05:30
Gitlab::GitAccessSnippet.prepend_mod_with('Gitlab::GitAccessSnippet')