2014-05-15 08:17:13 +00:00
|
|
|
module Gitlab
|
2016-07-18 08:16:56 +00:00
|
|
|
class UserAccess
|
|
|
|
attr_reader :user, :project
|
|
|
|
|
|
|
|
def initialize(user, project: nil)
|
|
|
|
@user = user
|
|
|
|
@project = project
|
|
|
|
end
|
|
|
|
|
|
|
|
def can_do_action?(action)
|
2017-03-09 21:59:19 +00:00
|
|
|
return false unless can_access_git?
|
2016-11-16 14:07:04 +00:00
|
|
|
|
2016-07-18 08:16:56 +00:00
|
|
|
@permission_cache ||= {}
|
|
|
|
@permission_cache[action] ||= user.can?(action, project)
|
|
|
|
end
|
|
|
|
|
|
|
|
def cannot_do_action?(action)
|
|
|
|
!can_do_action?(action)
|
|
|
|
end
|
|
|
|
|
|
|
|
def allowed?
|
2017-03-09 21:59:19 +00:00
|
|
|
return false unless can_access_git?
|
2014-05-15 08:17:13 +00:00
|
|
|
|
2016-03-10 11:37:14 +00:00
|
|
|
if user.requires_ldap_check? && user.try_obtain_ldap_lease
|
|
|
|
return false unless Gitlab::LDAP::Access.allowed?(user)
|
2014-05-15 08:17:13 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
true
|
|
|
|
end
|
2016-07-18 08:16:56 +00:00
|
|
|
|
2017-03-31 16:57:29 +00:00
|
|
|
#TODO: Test this
|
|
|
|
#TODO move most to ProtectedTag::AccessChecker. Or maybe UserAccess::Protections::Tag
|
|
|
|
#TODO: then consider removing method, if it turns out can_access_git? and can?(:push_code are checked in change_access
|
|
|
|
def can_push_tag?(ref)
|
|
|
|
return false unless can_access_git?
|
|
|
|
|
|
|
|
if project.protected_tag?(ref)
|
2017-04-03 14:17:24 +00:00
|
|
|
project.protected_tags.matching_refs_accesible_to(ref, user)
|
2017-03-31 16:57:29 +00:00
|
|
|
else
|
|
|
|
user.can?(:push_code, project)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-07-18 08:16:56 +00:00
|
|
|
def can_push_to_branch?(ref)
|
2017-03-09 21:59:19 +00:00
|
|
|
return false unless can_access_git?
|
2016-07-18 08:16:56 +00:00
|
|
|
|
2016-07-08 06:15:02 +00:00
|
|
|
if project.protected_branch?(ref)
|
2016-08-01 15:48:15 +00:00
|
|
|
return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
|
|
|
|
|
2017-04-03 14:17:24 +00:00
|
|
|
has_access = project.protected_branches.matching_refs_accesible_to(ref, user, action: :push)
|
2017-01-05 11:40:54 +00:00
|
|
|
|
|
|
|
has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
|
2016-07-18 08:16:56 +00:00
|
|
|
else
|
|
|
|
user.can?(:push_code, project)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def can_merge_to_branch?(ref)
|
2017-03-09 21:59:19 +00:00
|
|
|
return false unless can_access_git?
|
2016-07-18 08:16:56 +00:00
|
|
|
|
2016-07-08 06:15:02 +00:00
|
|
|
if project.protected_branch?(ref)
|
2017-04-03 14:17:24 +00:00
|
|
|
project.protected_branches.matching_refs_accesible_to(ref, user, action: :merge)
|
2016-07-18 08:16:56 +00:00
|
|
|
else
|
|
|
|
user.can?(:push_code, project)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def can_read_project?
|
2017-03-09 21:59:19 +00:00
|
|
|
return false unless can_access_git?
|
2016-07-18 08:16:56 +00:00
|
|
|
|
|
|
|
user.can?(:read_project, project)
|
|
|
|
end
|
2016-11-16 14:07:04 +00:00
|
|
|
|
|
|
|
private
|
|
|
|
|
2017-03-09 21:59:19 +00:00
|
|
|
def can_access_git?
|
|
|
|
user && user.can?(:access_git)
|
2016-11-16 14:07:04 +00:00
|
|
|
end
|
2014-05-15 08:17:13 +00:00
|
|
|
end
|
|
|
|
end
|