2018-10-22 03:00:50 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2014-05-15 04:17:13 -04:00
|
|
|
module Gitlab
|
2016-07-18 04:16:56 -04:00
|
|
|
class UserAccess
|
2017-07-18 05:48:48 -04:00
|
|
|
extend Gitlab::Cache::RequestCache
|
2017-07-04 05:48:45 -04:00
|
|
|
|
2017-07-18 06:04:20 -04:00
|
|
|
request_cache_key do
|
2020-07-21 14:09:45 -04:00
|
|
|
[user&.id, container&.to_global_id]
|
2017-07-04 05:48:45 -04:00
|
|
|
end
|
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
attr_reader :user, :push_ability
|
|
|
|
attr_accessor :container
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2021-03-31 14:09:19 -04:00
|
|
|
def initialize(user, container: nil, push_ability: :push_code, skip_collaboration_check: false)
|
2016-07-18 04:16:56 -04:00
|
|
|
@user = user
|
2020-07-21 14:09:45 -04:00
|
|
|
@container = container
|
|
|
|
@push_ability = push_ability
|
2021-03-31 14:09:19 -04:00
|
|
|
@skip_collaboration_check = skip_collaboration_check
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def can_do_action?(action)
|
2017-03-09 16:59:19 -05:00
|
|
|
return false unless can_access_git?
|
2016-11-16 09:07:04 -05:00
|
|
|
|
2018-01-09 12:30:04 -05:00
|
|
|
permission_cache[action] =
|
|
|
|
permission_cache.fetch(action) do
|
2020-07-21 14:09:45 -04:00
|
|
|
user.can?(action, container)
|
2018-01-09 12:30:04 -05:00
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def cannot_do_action?(action)
|
|
|
|
!can_do_action?(action)
|
|
|
|
end
|
|
|
|
|
|
|
|
def allowed?
|
2017-03-09 16:59:19 -05:00
|
|
|
return false unless can_access_git?
|
2014-05-15 04:17:13 -04:00
|
|
|
|
2016-03-10 06:37:14 -05:00
|
|
|
if user.requires_ldap_check? && user.try_obtain_ldap_lease
|
2020-03-12 11:09:39 -04:00
|
|
|
return false unless Gitlab::Auth::Ldap::Access.allowed?(user)
|
2014-05-15 04:17:13 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
true
|
|
|
|
end
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2017-07-18 06:04:20 -04:00
|
|
|
request_cache def can_create_tag?(ref)
|
2017-03-31 12:57:29 -04:00
|
|
|
return false unless can_access_git?
|
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
if protected?(ProtectedTag, ref)
|
2017-07-19 07:12:11 -04:00
|
|
|
protected_tag_accessible_to?(ref, action: :create)
|
2017-03-31 12:57:29 -04:00
|
|
|
else
|
2020-07-21 14:09:45 -04:00
|
|
|
user.can?(:admin_tag, container)
|
2017-03-31 12:57:29 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-07-18 06:04:20 -04:00
|
|
|
request_cache def can_delete_branch?(ref)
|
2017-05-08 03:41:58 -04:00
|
|
|
return false unless can_access_git?
|
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
if protected?(ProtectedBranch, ref)
|
|
|
|
user.can?(:push_to_delete_protected_branch, container)
|
2017-05-08 03:41:58 -04:00
|
|
|
else
|
2020-07-21 14:09:45 -04:00
|
|
|
can_push?
|
2017-05-08 03:41:58 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-07-18 09:56:28 -04:00
|
|
|
def can_update_branch?(ref)
|
2017-07-03 17:01:05 -04:00
|
|
|
can_push_to_branch?(ref) || can_merge_to_branch?(ref)
|
|
|
|
end
|
|
|
|
|
2017-07-18 06:04:20 -04:00
|
|
|
request_cache def can_push_to_branch?(ref)
|
2020-07-21 14:09:45 -04:00
|
|
|
return false unless can_access_git? && container && can_collaborate?(ref)
|
|
|
|
return true unless protected?(ProtectedBranch, ref)
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
protected_branch_accessible_to?(ref, action: :push)
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
|
2017-07-18 06:04:20 -04:00
|
|
|
request_cache def can_merge_to_branch?(ref)
|
2017-03-09 16:59:19 -05:00
|
|
|
return false unless can_access_git?
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
if protected?(ProtectedBranch, ref)
|
2017-07-19 07:12:11 -04:00
|
|
|
protected_branch_accessible_to?(ref, action: :merge)
|
2016-07-18 04:16:56 -04:00
|
|
|
else
|
2020-07-21 14:09:45 -04:00
|
|
|
can_push?
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-12-14 22:10:12 -05:00
|
|
|
def can_push_for_ref?(_)
|
|
|
|
can_do_action?(:push_code)
|
|
|
|
end
|
|
|
|
|
2016-11-16 09:07:04 -05:00
|
|
|
private
|
|
|
|
|
2021-03-31 14:09:19 -04:00
|
|
|
attr_reader :skip_collaboration_check
|
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
def can_push?
|
|
|
|
user.can?(push_ability, container)
|
|
|
|
end
|
|
|
|
|
|
|
|
def can_collaborate?(ref)
|
|
|
|
assert_project!
|
|
|
|
|
2020-11-10 10:09:14 -05:00
|
|
|
can_push? || branch_allows_collaboration_for?(ref)
|
|
|
|
end
|
|
|
|
|
|
|
|
def branch_allows_collaboration_for?(ref)
|
2021-03-31 14:09:19 -04:00
|
|
|
return false if skip_collaboration_check
|
|
|
|
|
2022-04-27 14:10:15 -04:00
|
|
|
project.branch_allows_collaboration?(user, ref)
|
2020-07-21 14:09:45 -04:00
|
|
|
end
|
|
|
|
|
2018-01-09 12:30:04 -05:00
|
|
|
def permission_cache
|
|
|
|
@permission_cache ||= {}
|
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
request_cache def can_access_git?
|
2017-03-09 16:59:19 -05:00
|
|
|
user && user.can?(:access_git)
|
2016-11-16 09:07:04 -05:00
|
|
|
end
|
2017-07-19 07:12:11 -04:00
|
|
|
|
|
|
|
def protected_branch_accessible_to?(ref, action:)
|
2020-07-21 14:09:45 -04:00
|
|
|
assert_project!
|
|
|
|
|
2017-07-19 07:12:11 -04:00
|
|
|
ProtectedBranch.protected_ref_accessible_to?(
|
2017-07-19 10:37:38 -04:00
|
|
|
ref, user,
|
2018-04-18 09:52:55 -04:00
|
|
|
project: project,
|
2017-07-19 10:37:38 -04:00
|
|
|
action: action,
|
2017-07-19 07:12:11 -04:00
|
|
|
protected_refs: project.protected_branches)
|
|
|
|
end
|
|
|
|
|
|
|
|
def protected_tag_accessible_to?(ref, action:)
|
2020-07-21 14:09:45 -04:00
|
|
|
assert_project!
|
|
|
|
|
2017-07-19 07:12:11 -04:00
|
|
|
ProtectedTag.protected_ref_accessible_to?(
|
2017-07-19 10:37:38 -04:00
|
|
|
ref, user,
|
2018-04-18 09:52:55 -04:00
|
|
|
project: project,
|
2017-07-19 10:37:38 -04:00
|
|
|
action: action,
|
2017-07-19 07:12:11 -04:00
|
|
|
protected_refs: project.protected_tags)
|
|
|
|
end
|
|
|
|
|
2020-07-21 14:09:45 -04:00
|
|
|
request_cache def protected?(kind, refs)
|
|
|
|
assert_project!
|
|
|
|
|
2019-03-06 07:20:27 -05:00
|
|
|
kind.protected?(project, refs)
|
2017-07-19 07:12:11 -04:00
|
|
|
end
|
2020-07-21 14:09:45 -04:00
|
|
|
|
|
|
|
def project
|
|
|
|
container
|
|
|
|
end
|
|
|
|
|
|
|
|
# Any method that assumes that it is operating on a project should make this
|
|
|
|
# explicit by calling `#assert_project!`.
|
|
|
|
# TODO: remove when we make this class polymorphic enough not to care about projects
|
|
|
|
# See: https://gitlab.com/gitlab-org/gitlab/-/issues/227635
|
|
|
|
def assert_project!
|
|
|
|
raise "No project! #{project.inspect} is not a Project" unless project.is_a?(::Project)
|
|
|
|
end
|
2014-05-15 04:17:13 -04:00
|
|
|
end
|
|
|
|
end
|