debian-mirror-gitlab/lib/gitlab/user_access.rb

132 lines
3.1 KiB
Ruby
Raw Normal View History

2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
module Gitlab
2016-08-24 12:49:21 +05:30
class UserAccess
2017-09-10 17:25:29 +05:30
extend Gitlab::Cache::RequestCache
request_cache_key do
[user&.id, project&.id]
end
2018-03-17 18:26:18 +05:30
attr_reader :user
attr_accessor :project
2016-08-24 12:49:21 +05:30
def initialize(user, project: nil)
@user = user
@project = project
end
def can_do_action?(action)
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2018-03-17 18:26:18 +05:30
permission_cache[action] =
permission_cache.fetch(action) do
user.can?(action, project)
end
2016-08-24 12:49:21 +05:30
end
def cannot_do_action?(action)
!can_do_action?(action)
end
def allowed?
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2014-09-02 18:07:02 +05:30
2016-04-02 18:10:28 +05:30
if user.requires_ldap_check? && user.try_obtain_ldap_lease
2020-04-08 14:13:33 +05:30
return false unless Gitlab::Auth::Ldap::Access.allowed?(user)
2014-09-02 18:07:02 +05:30
end
true
end
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
request_cache def can_create_tag?(ref)
return false unless can_access_git?
if protected?(ProtectedTag, project, ref)
protected_tag_accessible_to?(ref, action: :create)
else
2019-09-30 21:07:59 +05:30
user.can?(:admin_tag, project)
2017-09-10 17:25:29 +05:30
end
end
request_cache def can_delete_branch?(ref)
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2017-09-10 17:25:29 +05:30
if protected?(ProtectedBranch, project, ref)
2018-05-09 12:01:36 +05:30
user.can?(:push_to_delete_protected_branch, project)
2017-08-17 22:00:37 +05:30
else
user.can?(:push_code, project)
end
end
2017-09-10 17:25:29 +05:30
def can_update_branch?(ref)
can_push_to_branch?(ref) || can_merge_to_branch?(ref)
end
request_cache def can_push_to_branch?(ref)
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2018-05-09 12:01:36 +05:30
return false unless project
2020-03-07 23:17:34 +05:30
# Checking for an internal project to prevent an infinite loop:
# https://gitlab.com/gitlab-org/gitlab/issues/36805
if project.internal?
return false unless user.can?(:push_code, project)
else
return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)
end
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
if protected?(ProtectedBranch, project, ref)
2018-05-09 12:01:36 +05:30
protected_branch_accessible_to?(ref, action: :push)
2016-08-24 12:49:21 +05:30
else
2018-03-27 19:54:05 +05:30
true
2016-08-24 12:49:21 +05:30
end
end
2017-09-10 17:25:29 +05:30
request_cache def can_merge_to_branch?(ref)
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
if protected?(ProtectedBranch, project, ref)
protected_branch_accessible_to?(ref, action: :merge)
2016-08-24 12:49:21 +05:30
else
user.can?(:push_code, project)
end
end
def can_read_project?
2017-08-17 22:00:37 +05:30
return false unless can_access_git?
2016-08-24 12:49:21 +05:30
user.can?(:read_project, project)
end
2017-08-17 22:00:37 +05:30
private
2018-03-17 18:26:18 +05:30
def permission_cache
@permission_cache ||= {}
end
2020-04-08 14:13:33 +05:30
request_cache def can_access_git?
2017-08-17 22:00:37 +05:30
user && user.can?(:access_git)
end
2017-09-10 17:25:29 +05:30
def protected_branch_accessible_to?(ref, action:)
ProtectedBranch.protected_ref_accessible_to?(
ref, user,
2018-05-09 12:01:36 +05:30
project: project,
2017-09-10 17:25:29 +05:30
action: action,
protected_refs: project.protected_branches)
end
def protected_tag_accessible_to?(ref, action:)
ProtectedTag.protected_ref_accessible_to?(
ref, user,
2018-05-09 12:01:36 +05:30
project: project,
2017-09-10 17:25:29 +05:30
action: action,
protected_refs: project.protected_tags)
end
2019-07-07 11:18:12 +05:30
request_cache def protected?(kind, project, refs)
kind.protected?(project, refs)
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
end
end