2014-03-19 19:01:00 +00:00
|
|
|
module Gitlab
|
|
|
|
|
class GitAccess
|
|
|
|
|
DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
|
|
|
|
|
PUSH_COMMANDS = %w{ git-receive-pack }
|
|
|
|
|
|
|
|
|
|
attr_reader :params, :project, :git_cmd, :user
|
|
|
|
|
|
2014-01-28 21:36:50 +00:00
|
|
|
def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false)
|
2014-03-19 19:01:00 +00:00
|
|
|
case cmd
|
|
|
|
|
when *DOWNLOAD_COMMANDS
|
|
|
|
|
if actor.is_a? User
|
|
|
|
|
download_allowed?(actor, project)
|
|
|
|
|
elsif actor.is_a? DeployKey
|
|
|
|
|
actor.projects.include?(project)
|
|
|
|
|
elsif actor.is_a? Key
|
|
|
|
|
download_allowed?(actor.user, project)
|
|
|
|
|
else
|
|
|
|
|
raise 'Wrong actor'
|
|
|
|
|
end
|
|
|
|
|
when *PUSH_COMMANDS
|
|
|
|
|
if actor.is_a? User
|
2014-01-28 21:36:50 +00:00
|
|
|
push_allowed?(actor, project, ref, oldrev, newrev, forced_push)
|
2014-03-19 19:01:00 +00:00
|
|
|
elsif actor.is_a? DeployKey
|
|
|
|
|
# Deploy key not allowed to push
|
|
|
|
|
return false
|
|
|
|
|
elsif actor.is_a? Key
|
2014-01-28 21:36:50 +00:00
|
|
|
push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push)
|
2014-03-19 19:01:00 +00:00
|
|
|
else
|
|
|
|
|
raise 'Wrong actor'
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def download_allowed?(user, project)
|
2014-03-21 12:52:30 +00:00
|
|
|
if user && user_allowed?(user)
|
2014-03-19 19:01:00 +00:00
|
|
|
user.can?(:download_code, project)
|
|
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2014-01-28 21:36:50 +00:00
|
|
|
def push_allowed?(user, project, ref, oldrev, newrev, forced_push)
|
2014-03-21 12:52:30 +00:00
|
|
|
if user && user_allowed?(user)
|
2014-03-19 19:01:00 +00:00
|
|
|
action = if project.protected_branch?(ref)
|
2014-04-03 12:03:45 +00:00
|
|
|
if forced_push.to_s == 'true'
|
2014-01-28 21:36:50 +00:00
|
|
|
:force_push_code_to_protected_branches
|
|
|
|
|
else
|
|
|
|
|
:push_code_to_protected_branches
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
:push_code
|
|
|
|
|
end
|
2014-03-19 19:01:00 +00:00
|
|
|
user.can?(action, project)
|
|
|
|
|
else
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def user_allowed?(user)
|
|
|
|
|
return false if user.blocked?
|
|
|
|
|
|
|
|
|
|
if Gitlab.config.ldap.enabled
|
|
|
|
|
if user.ldap_user?
|
|
|
|
|
# Check if LDAP user exists and match LDAP user_filter
|
2014-05-14 17:04:00 +00:00
|
|
|
Gitlab::LDAP::Access.open do |adapter|
|
|
|
|
|
return false unless adapter.allowed?(user)
|
2014-03-19 19:01:00 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
true
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
