gitlab-org--gitlab-foss/lib/gitlab/user_access.rb

module Gitlab
  class UserAccess
    attr_reader :user, :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
      return false if no_user_or_blocked?

      @permission_cache ||= {}
      @permission_cache[action] ||= user.can?(action, project)
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
      return false if no_user_or_blocked?

      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::LDAP::Access.allowed?(user)
      end

      true
    end

    def can_push_to_branch?(ref)
      return false if no_user_or_blocked?

      if project.protected_branch?(ref)
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)

        access_levels = project.protected_branches.matching(ref).map(&:push_access_levels).flatten
        has_access = access_levels.any? { |access_level| access_level.check_access(user) }

        has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
      else
        user.can?(:push_code, project)
      end
    end

    def can_merge_to_branch?(ref)
      return false if no_user_or_blocked?

      if project.protected_branch?(ref)
        access_levels = project.protected_branches.matching(ref).map(&:merge_access_levels).flatten
        access_levels.any? { |access_level| access_level.check_access(user) }
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
      return false if no_user_or_blocked?

      user.can?(:read_project, project)
    end

    private

    def no_user_or_blocked?
      user.nil? || !user.can?(:access_git)
    end
  end
end
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`module Gitlab`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`class UserAccess`
			`attr_reader :user, :project`

			`def initialize(user, project: nil)`
			`@user = user`
			`@project = project`
			`end`

			`def can_do_action?(action)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`return false if no_user_or_blocked?`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`@permission_cache \|\|= {}`
			`@permission_cache[action] \|\|= user.can?(action, project)`
			`end`

			`def cannot_do_action?(action)`
			`!can_do_action?(action)`
			`end`

			`def allowed?`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`return false if no_user_or_blocked?`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00
Move method to User 2016-03-10 11:37:14 +00:00			`if user.requires_ldap_check? && user.try_obtain_ldap_lease`
			`return false unless Gitlab::LDAP::Access.allowed?(user)`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`

			`true`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`def can_push_to_branch?(ref)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`return false if no_user_or_blocked?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Enforce "No One Can Push" during git operations. 1. The crux of this change is in `UserAccess`, which looks through all the access levels, asking each if the user has access to push/merge for the current project. 2. Update the `protected_branches` factory to create access levels as necessary. 3. Fix and augment `user_access` and `git_access` specs. 2016-07-08 06:15:02 +00:00			`if project.protected_branch?(ref)`
changes default_branch_protection to allow devs_can_merge protection option aswell 2016-08-01 15:48:15 +00:00			`return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)`

Improve EE compatibility with protected branch access levels. 1. Change a few incorrect `access_level` to `access_levels.first` that were missed in e805a64. 2. `API::Entities` can iterate over all access levels instead of just the first one. This makes no difference to CE, and makes it more compatible with EE. 2016-08-16 06:30:56 +00:00			`access_levels = project.protected_branches.matching(ref).map(&:push_access_levels).flatten`
Allow creating protected branch when it doesn't exist if user has either push or merge permissions + Change log entry for fix to creating a branch matching a wildcard fails 2017-01-05 11:40:54 +00:00			`has_access = access_levels.any? { \|access_level\| access_level.check_access(user) }`

			`has_access \|\| !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_merge_to_branch?(ref)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`return false if no_user_or_blocked?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Enforce "No One Can Push" during git operations. 1. The crux of this change is in `UserAccess`, which looks through all the access levels, asking each if the user has access to push/merge for the current project. 2. Update the `protected_branches` factory to create access levels as necessary. 3. Fix and augment `user_access` and `git_access` specs. 2016-07-08 06:15:02 +00:00			`if project.protected_branch?(ref)`
Improve EE compatibility with protected branch access levels. 1. Change a few incorrect `access_level` to `access_levels.first` that were missed in e805a64. 2. `API::Entities` can iterate over all access levels instead of just the first one. This makes no difference to CE, and makes it more compatible with EE. 2016-08-16 06:30:56 +00:00			`access_levels = project.protected_branches.matching(ref).map(&:merge_access_levels).flatten`
Enforce "No One Can Push" during git operations. 1. The crux of this change is in `UserAccess`, which looks through all the access levels, asking each if the user has access to push/merge for the current project. 2. Update the `protected_branches` factory to create access levels as necessary. 3. Fix and augment `user_access` and `git_access` specs. 2016-07-08 06:15:02 +00:00			`access_levels.any? { \|access_level\| access_level.check_access(user) }`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_read_project?`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`return false if no_user_or_blocked?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`user.can?(:read_project, project)`
			`end`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
			`private`

			`def no_user_or_blocked?`
protect git access through the policy infra 2017-02-28 21:37:35 +00:00			`user.nil? \|\| !user.can?(:access_git)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`end`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`
			`end`