debian-mirror-gitlab/lib/gitlab/checks/change_access.rb

116 lines
3.1 KiB
Ruby
Raw Normal View History

2016-08-24 12:49:21 +05:30
module Gitlab
module Checks
class ChangeAccess
2017-08-17 22:00:37 +05:30
# protocol is currently used only in EE
attr_reader :user_access, :project, :skip_authorization, :protocol
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
def initialize(
change, user_access:, project:, skip_authorization: false,
protocol:
)
2016-09-13 17:45:13 +05:30
@oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
@branch_name = Gitlab::Git.branch_name(@ref)
2017-08-17 22:00:37 +05:30
@tag_name = Gitlab::Git.tag_name(@ref)
2016-08-24 12:49:21 +05:30
@user_access = user_access
@project = project
2017-08-17 22:00:37 +05:30
@skip_authorization = skip_authorization
@protocol = protocol
2016-08-24 12:49:21 +05:30
end
def exec
2016-09-13 17:45:13 +05:30
error = push_checks || tag_checks || protected_branch_checks
2016-08-24 12:49:21 +05:30
if error
GitAccessStatus.new(false, error)
else
GitAccessStatus.new(true)
end
end
protected
def protected_branch_checks
2017-08-17 22:00:37 +05:30
return if skip_authorization
2016-09-29 09:46:39 +05:30
return unless @branch_name
2017-08-17 22:00:37 +05:30
return unless ProtectedBranch.protected?(project, @branch_name)
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
if forced_push?
2016-08-24 12:49:21 +05:30
return "You are not allowed to force push code to a protected branch on this project."
2017-08-17 22:00:37 +05:30
elsif deletion?
2016-08-24 12:49:21 +05:30
return "You are not allowed to delete protected branches from this project."
end
if matching_merge_request?
if user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
return
else
"You are not allowed to merge code into protected branches on this project."
end
else
if user_access.can_push_to_branch?(@branch_name)
return
else
"You are not allowed to push code to protected branches on this project."
end
end
end
def tag_checks
2017-08-17 22:00:37 +05:30
return if skip_authorization
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
return unless @tag_name
if tag_exists? && user_access.cannot_do_action?(:admin_project)
return "You are not allowed to change existing tags on this project."
2016-08-24 12:49:21 +05:30
end
2017-08-17 22:00:37 +05:30
protected_tag_checks
end
def protected_tag_checks
return unless tag_protected?
return "Protected tags cannot be updated." if update?
return "Protected tags cannot be deleted." if deletion?
unless user_access.can_create_tag?(@tag_name)
return "You are not allowed to create this tag as it is protected."
end
end
def tag_protected?
ProtectedTag.protected?(project, @tag_name)
2016-08-24 12:49:21 +05:30
end
def push_checks
2017-08-17 22:00:37 +05:30
return if skip_authorization
2016-08-24 12:49:21 +05:30
if user_access.cannot_do_action?(:push_code)
"You are not allowed to push code to this project."
end
end
private
2017-08-17 22:00:37 +05:30
def tag_exists?
project.repository.tag_exists?(@tag_name)
2016-08-24 12:49:21 +05:30
end
def forced_push?
Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev)
end
2017-08-17 22:00:37 +05:30
def update?
!Gitlab::Git.blank_ref?(@oldrev) && !deletion?
end
def deletion?
Gitlab::Git.blank_ref?(@newrev)
end
2016-08-24 12:49:21 +05:30
def matching_merge_request?
Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
end
end
end
end