gitlab-org--gitlab-foss/lib/gitlab/user_access.rb

# frozen_string_literal: true

module Gitlab
  class UserAccess
    extend Gitlab::Cache::RequestCache

    request_cache_key do
      [user&.id, project&.id]
    end

    attr_reader :user
    attr_accessor :project

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
      return false unless can_access_git?

      permission_cache[action] =
        permission_cache.fetch(action) do
          user.can?(action, project)
        end
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
      return false unless can_access_git?

      if user.requires_ldap_check? && user.try_obtain_ldap_lease
        return false unless Gitlab::Auth::LDAP::Access.allowed?(user)
      end

      true
    end

    request_cache def can_create_tag?(ref)
      return false unless can_access_git?

      if protected?(ProtectedTag, project, ref)
        protected_tag_accessible_to?(ref, action: :create)
      else
        user.can?(:admin_tag, project)
      end
    end

    request_cache def can_delete_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        user.can?(:push_to_delete_protected_branch, project)
      else
        user.can?(:push_code, project)
      end
    end

    def can_update_branch?(ref)
      can_push_to_branch?(ref) || can_merge_to_branch?(ref)
    end

    request_cache def can_push_to_branch?(ref)
      return false unless can_access_git?
      return false unless project

      # Checking for an internal project to prevent an infinite loop:
      # https://gitlab.com/gitlab-org/gitlab/issues/36805
      if project.internal?
        return false unless user.can?(:push_code, project)
      else
        return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)
      end

      if protected?(ProtectedBranch, project, ref)
        protected_branch_accessible_to?(ref, action: :push)
      else
        true
      end
    end

    request_cache def can_merge_to_branch?(ref)
      return false unless can_access_git?

      if protected?(ProtectedBranch, project, ref)
        protected_branch_accessible_to?(ref, action: :merge)
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
      return false unless can_access_git?

      user.can?(:read_project, project)
    end

    private

    def permission_cache
      @permission_cache ||= {}
    end

    request_cache def can_access_git?
      user && user.can?(:access_git)
    end

    def protected_branch_accessible_to?(ref, action:)
      ProtectedBranch.protected_ref_accessible_to?(
        ref, user,
        project: project,
        action: action,
        protected_refs: project.protected_branches)
    end

    def protected_tag_accessible_to?(ref, action:)
      ProtectedTag.protected_ref_accessible_to?(
        ref, user,
        project: project,
        action: action,
        protected_refs: project.protected_tags)
    end

    request_cache def protected?(kind, project, refs)
      kind.protected?(project, refs)
    end
  end
end
Enable frozen string for lib/gitlab/*.rb 2018-10-22 07:00:50 +00:00			`# frozen_string_literal: true`

Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`module Gitlab`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`class UserAccess`
Follow feedback on the merge request 2017-07-18 09:48:48 +00:00			`extend Gitlab::Cache::RequestCache`
Introduce Gitlab::Cache::RequestStoreWrap So that we cache the result of UserAccess#can_push_or_merge_to_branch? in RequestStore, avoiding querying ProtectedBranch over and over for the list of pipelines (i.e. in PipelineSerializer) I don't think this is ideal because I don't like the idea of RequestStore in general, but this is the easiest way to cache it without changing the architecture. In the future we should cache more explicitly rather than this kind of global store. 2017-07-04 09:48:45 +00:00
Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache_key do`
Introduce Gitlab::Cache::RequestStoreWrap So that we cache the result of UserAccess#can_push_or_merge_to_branch? in RequestStore, avoiding querying ProtectedBranch over and over for the list of pipelines (i.e. in PipelineSerializer) I don't think this is ideal because I don't like the idea of RequestStore in general, but this is the easiest way to cache it without changing the architecture. In the future we should cache more explicitly rather than this kind of global store. 2017-07-04 09:48:45 +00:00			`[user&.id, project&.id]`
			`end`

Moves project creationg to git access check for git push 2018-02-02 15:27:30 +00:00			`attr_reader :user`
			`attr_accessor :project`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`def initialize(user, project: nil)`
			`@user = user`
			`@project = project`
			`end`

			`def can_do_action?(action)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
Introduce PredicateMemoization cop and fix offenses with StrongMemoize 2018-01-09 17:30:04 +00:00			`permission_cache[action] =`
			`permission_cache.fetch(action) do`
			`user.can?(action, project)`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`end`

			`def cannot_do_action?(action)`
			`!can_do_action?(action)`
			`end`

			`def allowed?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00
Move method to User 2016-03-10 11:37:14 +00:00			`if user.requires_ldap_check? && user.try_obtain_ldap_lease`
Moved o_auth/saml/ldap modules under gitlab/auth 2018-02-23 12:10:39 +00:00			`return false unless Gitlab::Auth::LDAP::Access.allowed?(user)`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`

			`true`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_create_tag?(ref)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`return false unless can_access_git?`

Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedTag, project, ref)`
			`protected_tag_accessible_to?(ref, action: :create)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`else`
Add documentation and tests This commit adds - feature specs - to test the ability of a user with "developer" permission to delete tags in repositories. - documentation 2019-06-19 07:08:56 +00:00			`user.can?(:admin_tag, project)`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`end`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_delete_branch?(ref)`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`return false unless can_access_git?`

Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
Rename delete_protected_branch ability to push_to_delete_protected_branch to prevent confusion with destroy_protected_branch 2018-04-02 16:30:49 +00:00			`user.can?(:push_to_delete_protected_branch, project)`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Rename can_push_or_merge_to_branch? to can_update_branch? Also make sure pipeline would also check against tag as well 2017-07-18 13:56:28 +00:00			`def can_update_branch?(ref)`
Consistently check permission for creating pipelines, updating builds and updating pipelines. We check against being able to merge or push if the ref is protected. 2017-07-03 21:01:05 +00:00			`can_push_to_branch?(ref) \|\| can_merge_to_branch?(ref)`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_push_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Allow admins to push to empty repos 2018-04-18 13:52:55 +00:00			`return false unless project`

Add latest changes from gitlab-org/gitlab@master 2020-03-04 21:07:54 +00:00			`# Checking for an internal project to prevent an infinite loop:`
			`# https://gitlab.com/gitlab-org/gitlab/issues/36805`
			`if project.internal?`
			`return false unless user.can?(:push_code, project)`
			`else`
			`return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)`
			`end`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
Allow admins to push to empty repos 2018-04-18 13:52:55 +00:00			`protected_branch_accessible_to?(ref, action: :push)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
Validate `:push_code` before checking protected branches 2018-03-07 23:08:52 +00:00			`true`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`end`
			`end`

Rename the methods to make it fit with current name 2017-07-18 10:04:20 +00:00			`request_cache def can_merge_to_branch?(ref)`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`if protected?(ProtectedBranch, project, ref)`
			`protected_branch_accessible_to?(ref, action: :merge)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

			`def can_read_project?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`return false unless can_access_git?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 08:16:56 +00:00
			`user.can?(:read_project, project)`
			`end`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00
			`private`

Introduce PredicateMemoization cop and fix offenses with StrongMemoize 2018-01-09 17:30:04 +00:00			`def permission_cache`
			`@permission_cache \|\|= {}`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-02-27 15:09:24 +00:00			`request_cache def can_access_git?`
reverse the logic and use a clearer name 2017-03-09 21:59:19 +00:00			`user && user.can?(:access_git)`
Introduce no_user_or_blocked? and fix tests due to checking user permission. 2016-11-16 14:07:04 +00:00			`end`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00
			`def protected_branch_accessible_to?(ref, action:)`
			`ProtectedBranch.protected_ref_accessible_to?(`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`ref, user,`
Allow admins to push to empty repos 2018-04-18 13:52:55 +00:00			`project: project,`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`action: action,`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`protected_refs: project.protected_branches)`
			`end`

			`def protected_tag_accessible_to?(ref, action:)`
			`ProtectedTag.protected_ref_accessible_to?(`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`ref, user,`
Allow admins to push to empty repos 2018-04-18 13:52:55 +00:00			`project: project,`
Fix tests and fine tweak permission error message 2017-07-19 14:37:38 +00:00			`action: action,`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`protected_refs: project.protected_tags)`
			`end`

Allow protected branch creation via web and API This commit includes changes to add `UserAccess#can_create_branch?` which will check whether the user is allowed to create a branch even if it matches a protected branch. This is used in `Gitlab::Checks::BranchCheck` when the branch name matches a protected branch. A `push_to_create_protected_branch` ability in `ProjectPolicy` has been added to allow Developers and above to create protected branches. 2019-03-06 12:20:27 +00:00			`request_cache def protected?(kind, project, refs)`
			`kind.protected?(project, refs)`
Eliminate N+1 queries on checking different protected refs I realized where the N+1 queries were actually coming from project.protected_branches, but how come we cannot preload this, or cache this at all? Then I found that this is somehow a Rails limitation. What we're doing before, eventually come to: project.protected_branches.matching But why it's not cached? (project.protected_branches.loaded? is always false) It's because matching is a class method, which is called on the proxy. In this case, Rails cannot cache the result. I don't know if this is possible to implement or not, because clearly this would require some tricks to implement class methods on associations. So instead, we could just pass project.protected_branches to ProtectedRef.matching, then it would work regularly. With this change, there's no more N+1 queries. 2017-07-19 11:12:11 +00:00			`end`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`end`
			`end`