gitlab-org--gitlab-foss/lib/gitlab/user_access.rb

module Gitlab
  class UserAccess
    extend Gitlab::Cache::RequestStoreWrap

    request_store_wrap_key do
      [user&.id, project&.id]
    end

    attr_reader :user, :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
      return false unless can_access_git?

      @permission_cache ||= {}
      @permission_cache[action] ||= user.can?(action, project)
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
      return false unless can_access_git?

      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
      end

      true
    end

    request_store_wrap def can_create_tag?(ref)
      return false unless can_access_git?

      if ProtectedTag.protected?(project, ref)
        project.protected_tags.protected_ref_accessible_to?(ref, user, action: :create)
      else
        user.can?(:push_code, project)
      end
    end

    request_store_wrap def can_delete_branch?(ref)
      return false unless can_access_git?

      if ProtectedBranch.protected?(project, ref)
        user.can?(:delete_protected_branch, project)
      else
        user.can?(:push_code, project)
      end
    end

    request_store_wrap def can_push_to_branch?(ref)
      return false unless can_access_git?

      if ProtectedBranch.protected?(project, ref)
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)

        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
      else
        user.can?(:push_code, project)
      end
    end

    request_store_wrap def can_merge_to_branch?(ref)
      return false unless can_access_git?

      if ProtectedBranch.protected?(project, ref)
        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
      return false unless can_access_git?

      user.can?(:read_project, project)
    end

    private

    def can_access_git?
      user && user.can?(:access_git)
    end
  end
end
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`module Gitlab`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`class UserAccess`
Add RequestStoreWrap to cache via RequestStore I don't like the idea of `RequestStore` at all, because it's just a global state which shouldn't be used at all. But we have a number of places calling `ProtectedBranch.protected?` and `ProtectedTag.protected?` in a loop for the same user, project, and ref whenever we're checking against if the jobs for a given pipeline is accessible for a given user. This means we're effectively making N queries for the same thing over and over. To properly fix this, we need to change how we check the permission, and that could be a huge work. To solve this quickly, adding a cache layer for the given request would be quite simple to do. We're already doing this in Commit#author, and this is extending that idea and make it generalized. 2017-07-17 15:24:46 +00:00			`extend Gitlab::Cache::RequestStoreWrap`

			`request_store_wrap_key do`
			`[user&.id, project&.id]`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`attr_reader :user, :project`

			`def initialize(user, project: nil)`
			`@user = user`
			`@project = project`
			`end`

			`def can_do_action?(action)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`@permission_cache \|\|= {}`
			`@permission_cache[action] \|\|= user.can?(action, project)`
			`end`

			`def cannot_do_action?(action)`
			`!can_do_action?(action)`
			`end`

			`def allowed?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00
Move method to User 2016-03-10 11:37:14 +00:00			`if user.requires_ldap_check? && user.try_obtain_ldap_lease`
			`return false unless Gitlab::LDAP::Access.allowed?(user)`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`

			`true`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Add RequestStoreWrap to cache via RequestStore I don't like the idea of `RequestStore` at all, because it's just a global state which shouldn't be used at all. But we have a number of places calling `ProtectedBranch.protected?` and `ProtectedTag.protected?` in a loop for the same user, project, and ref whenever we're checking against if the jobs for a given pipeline is accessible for a given user. This means we're effectively making N queries for the same thing over and over. To properly fix this, we need to change how we check the permission, and that could be a huge work. To solve this quickly, adding a cache layer for the given request would be quite simple to do. We're already doing this in Commit#author, and this is extending that idea and make it generalized. 2017-07-17 15:24:46 +00:00			`request_store_wrap def can_create_tag?(ref)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`return false unless can_access_git?`

Moved Project#protected_branch? to ProtectedBranch, similar for tags 2017-04-03 17:59:58 +00:00			`if ProtectedTag.protected?(project, ref)`
Fixed UserAccess#can_create_tag? after create_access_levels rename 2017-04-04 02:50:15 +00:00			`project.protected_tags.protected_ref_accessible_to?(ref, user, action: :create)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Add RequestStoreWrap to cache via RequestStore I don't like the idea of `RequestStore` at all, because it's just a global state which shouldn't be used at all. But we have a number of places calling `ProtectedBranch.protected?` and `ProtectedTag.protected?` in a loop for the same user, project, and ref whenever we're checking against if the jobs for a given pipeline is accessible for a given user. This means we're effectively making N queries for the same thing over and over. To properly fix this, we need to change how we check the permission, and that could be a huge work. To solve this quickly, adding a cache layer for the given request would be quite simple to do. We're already doing this in Commit#author, and this is extending that idea and make it generalized. 2017-07-17 15:24:46 +00:00			`request_store_wrap def can_delete_branch?(ref)`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`return false unless can_access_git?`

			`if ProtectedBranch.protected?(project, ref)`
			`user.can?(:delete_protected_branch, project)`
			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Add RequestStoreWrap to cache via RequestStore I don't like the idea of `RequestStore` at all, because it's just a global state which shouldn't be used at all. But we have a number of places calling `ProtectedBranch.protected?` and `ProtectedTag.protected?` in a loop for the same user, project, and ref whenever we're checking against if the jobs for a given pipeline is accessible for a given user. This means we're effectively making N queries for the same thing over and over. To properly fix this, we need to change how we check the permission, and that could be a huge work. To solve this quickly, adding a cache layer for the given request would be quite simple to do. We're already doing this in Commit#author, and this is extending that idea and make it generalized. 2017-07-17 15:24:46 +00:00			`request_store_wrap def can_push_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Moved Project#protected_branch? to ProtectedBranch, similar for tags 2017-04-03 17:59:58 +00:00			`if ProtectedBranch.protected?(project, ref)`
changes default_branch_protection to allow devs_can_merge protection option aswell 2016-08-01 15:48:15 +00:00			`return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)`

Prevent people from creating branches if they don't have persmission to push 2017-04-28 14:05:00 +00:00			`project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Add RequestStoreWrap to cache via RequestStore I don't like the idea of `RequestStore` at all, because it's just a global state which shouldn't be used at all. But we have a number of places calling `ProtectedBranch.protected?` and `ProtectedTag.protected?` in a loop for the same user, project, and ref whenever we're checking against if the jobs for a given pipeline is accessible for a given user. This means we're effectively making N queries for the same thing over and over. To properly fix this, we need to change how we check the permission, and that could be a huge work. To solve this quickly, adding a cache layer for the given request would be quite simple to do. We're already doing this in Commit#author, and this is extending that idea and make it generalized. 2017-07-17 15:24:46 +00:00			`request_store_wrap def can_merge_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Moved Project#protected_branch? to ProtectedBranch, similar for tags 2017-04-03 17:59:58 +00:00			`if ProtectedBranch.protected?(project, ref)`
Cleanup & tests for UserAccess#can_create_tag? 2017-04-04 01:05:42 +00:00			`project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_read_project?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`user.can?(:read_project, project)`
			`end`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
			`private`

reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`def can_access_git?`
			`user && user.can?(:access_git)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`end`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`
			`end`