gitlab-org--gitlab-foss/lib/gitlab/user_access.rb

module Gitlab
  class UserAccess
    extend Gitlab::Cache::RequestCache

    request_cache_key do
      [user&.id, project&.id]
    end

    attr_reader :user, :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
      return false unless can_access_git?

      @permission_cache ||= {}
      @permission_cache[action] ||= user.can?(action, project)
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
      return false unless can_access_git?

      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
      end

      true
    end

    request_cache def can_create_tag?(ref)
      return false unless can_access_git?

      if protected?(ProtectedTag, project, ref)
        protected_tag_accessible_to?(ref, action: :create)
      else
        user.can?(:push_code, project)
      end
    end

    request_cache def can_delete_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        user.can?(:delete_protected_branch, project)
      else
        user.can?(:push_code, project)
      end
    end

    def can_update_branch?(ref)
      can_push_to_branch?(ref) || can_merge_to_branch?(ref)
    end

    request_cache def can_push_to_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)

        protected_branch_accessible_to?(ref, action: :push)
      else
        user.can?(:push_code, project)
      end
    end

    request_cache def can_merge_to_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        protected_branch_accessible_to?(ref, action: :merge)
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
      return false unless can_access_git?

      user.can?(:read_project, project)
    end

    private

    def can_access_git?
      user && user.can?(:access_git)
    end

    def protected_branch_accessible_to?(ref, action:)
      ProtectedBranch.protected_ref_accessible_to?(
        ref, user,
        action: action,
        protected_refs: project.protected_branches)
    end

    def protected_tag_accessible_to?(ref, action:)
      ProtectedTag.protected_ref_accessible_to?(
        ref, user,
        action: action,
        protected_refs: project.protected_tags)
    end

    request_cache def protected?(kind, project, ref)
      kind.protected?(project, ref)
    end
  end
end
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`module Gitlab`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`class UserAccess`
Follow feedback on the merge request 2017-07-18 09:48:48 +00:00			`extend Gitlab::Cache::RequestCache`
Introduce Gitlab::Cache::RequestStoreWrap So that we cache the result of UserAccess#can_push_or_merge_to_branch? in RequestStore, avoiding querying ProtectedBranch over and over for the list of pipelines (i.e. in PipelineSerializer) I don't think this is ideal because I don't like the idea of RequestStore in general, but this is the easiest way to cache it without changing the architecture. In the future we should cache more explicitly rather than this kind of global store. 2017-07-04 09:48:45 +00:00
Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache_key do`
Introduce Gitlab::Cache::RequestStoreWrap So that we cache the result of UserAccess#can_push_or_merge_to_branch? in RequestStore, avoiding querying ProtectedBranch over and over for the list of pipelines (i.e. in PipelineSerializer) I don't think this is ideal because I don't like the idea of RequestStore in general, but this is the easiest way to cache it without changing the architecture. In the future we should cache more explicitly rather than this kind of global store. 2017-07-04 09:48:45 +00:00			`[user&.id, project&.id]`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`attr_reader :user, :project`

			`def initialize(user, project: nil)`
			`@user = user`
			`@project = project`
			`end`

			`def can_do_action?(action)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`@permission_cache \|\|= {}`
			`@permission_cache[action] \|\|= user.can?(action, project)`
			`end`

			`def cannot_do_action?(action)`
			`!can_do_action?(action)`
			`end`

			`def allowed?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00
Move method to User 2016-03-10 11:37:14 +00:00			`if user.requires_ldap_check? && user.try_obtain_ldap_lease`
			`return false unless Gitlab::LDAP::Access.allowed?(user)`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`

			`true`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_create_tag?(ref)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`return false unless can_access_git?`

Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedTag, project, ref)`
			`protected_tag_accessible_to?(ref, action: :create)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_delete_branch?(ref)`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`return false unless can_access_git?`

Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`user.can?(:delete_protected_branch, project)`
			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 13:56:28 +00:00			`def can_update_branch?(ref)`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 21:01:05 +00:00			`can_push_to_branch?(ref) \|\| can_merge_to_branch?(ref)`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_push_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
changes default_branch_protection to allow devs_can_merge protection option aswell 2016-08-01 15:48:15 +00:00			`return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)`

Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`protected_branch_accessible_to?(ref, action: :push)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_merge_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
			`protected_branch_accessible_to?(ref, action: :merge)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_read_project?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`user.can?(:read_project, project)`
			`end`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
			`private`

reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`def can_access_git?`
			`user && user.can?(:access_git)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`end`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00
			`def protected_branch_accessible_to?(ref, action:)`
			`ProtectedBranch.protected_ref_accessible_to?(`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`ref, user,`
			`action: action,`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`protected_refs: project.protected_branches)`
			`end`

			`def protected_tag_accessible_to?(ref, action:)`
			`ProtectedTag.protected_ref_accessible_to?(`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`ref, user,`
			`action: action,`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`protected_refs: project.protected_tags)`
			`end`

			`request_cache def protected?(kind, project, ref)`
			`kind.protected?(project, ref)`
			`end`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`
			`end`