2014-03-19 15:01:00 -04:00
|
|
|
module Gitlab
|
|
|
|
class GitAccess
|
|
|
|
DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
|
|
|
|
PUSH_COMMANDS = %w{ git-receive-pack }
|
|
|
|
|
|
|
|
attr_reader :params, :project, :git_cmd, :user
|
|
|
|
|
2014-01-28 16:36:50 -05:00
|
|
|
def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false)
|
2014-03-19 15:01:00 -04:00
|
|
|
case cmd
|
|
|
|
when *DOWNLOAD_COMMANDS
|
|
|
|
if actor.is_a? User
|
|
|
|
download_allowed?(actor, project)
|
|
|
|
elsif actor.is_a? DeployKey
|
|
|
|
actor.projects.include?(project)
|
|
|
|
elsif actor.is_a? Key
|
|
|
|
download_allowed?(actor.user, project)
|
|
|
|
else
|
|
|
|
raise 'Wrong actor'
|
|
|
|
end
|
|
|
|
when *PUSH_COMMANDS
|
|
|
|
if actor.is_a? User
|
2014-01-28 16:36:50 -05:00
|
|
|
push_allowed?(actor, project, ref, oldrev, newrev, forced_push)
|
2014-03-19 15:01:00 -04:00
|
|
|
elsif actor.is_a? DeployKey
|
|
|
|
# Deploy key not allowed to push
|
|
|
|
return false
|
|
|
|
elsif actor.is_a? Key
|
2014-01-28 16:36:50 -05:00
|
|
|
push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push)
|
2014-03-19 15:01:00 -04:00
|
|
|
else
|
|
|
|
raise 'Wrong actor'
|
|
|
|
end
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def download_allowed?(user, project)
|
2014-03-21 08:52:30 -04:00
|
|
|
if user && user_allowed?(user)
|
2014-03-19 15:01:00 -04:00
|
|
|
user.can?(:download_code, project)
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-01-28 16:36:50 -05:00
|
|
|
def push_allowed?(user, project, ref, oldrev, newrev, forced_push)
|
2014-03-21 08:52:30 -04:00
|
|
|
if user && user_allowed?(user)
|
2014-03-19 15:01:00 -04:00
|
|
|
action = if project.protected_branch?(ref)
|
2014-05-22 08:38:47 -04:00
|
|
|
# we dont allow force push to protected branch
|
|
|
|
if forced_push.to_s == 'true'
|
|
|
|
:force_push_code_to_protected_branches
|
|
|
|
# and we dont allow remove of protected branch
|
|
|
|
elsif newrev =~ /0000000/
|
|
|
|
:remove_protected_branches
|
|
|
|
else
|
|
|
|
:push_code_to_protected_branches
|
|
|
|
end
|
2014-05-30 09:26:45 -04:00
|
|
|
elsif project.repository && project.repository.tag_names.include?(ref)
|
|
|
|
# Prevent any changes to existing git tag unless user has permissions
|
|
|
|
:admin_project
|
2014-05-22 08:38:47 -04:00
|
|
|
else
|
|
|
|
:push_code
|
|
|
|
end
|
2014-03-19 15:01:00 -04:00
|
|
|
user.can?(action, project)
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def user_allowed?(user)
|
2014-05-15 04:17:13 -04:00
|
|
|
Gitlab::UserAccess.allowed?(user)
|
2014-03-19 15:01:00 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|