2016-07-18 04:16:56 -04:00
|
|
|
module Gitlab
|
|
|
|
module Checks
|
|
|
|
class ChangeAccess
|
2016-11-17 14:48:23 -05:00
|
|
|
attr_reader :user_access, :project, :skip_authorization
|
2016-07-18 04:16:56 -04:00
|
|
|
|
2016-11-17 14:48:23 -05:00
|
|
|
def initialize(
|
|
|
|
change, user_access:, project:, skip_authorization: false)
|
2016-07-28 00:04:57 -04:00
|
|
|
@oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
|
|
|
|
@branch_name = Gitlab::Git.branch_name(@ref)
|
2016-07-18 04:16:56 -04:00
|
|
|
@user_access = user_access
|
|
|
|
@project = project
|
2016-11-17 14:48:23 -05:00
|
|
|
@skip_authorization = skip_authorization
|
2016-07-18 04:16:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def exec
|
2016-08-12 18:27:42 -04:00
|
|
|
error = push_checks || tag_checks || protected_branch_checks
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
if error
|
|
|
|
GitAccessStatus.new(false, error)
|
|
|
|
else
|
|
|
|
GitAccessStatus.new(true)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
|
|
|
def protected_branch_checks
|
2016-11-17 14:48:23 -05:00
|
|
|
return if skip_authorization
|
2016-09-13 05:43:41 -04:00
|
|
|
return unless @branch_name
|
2016-07-18 04:16:56 -04:00
|
|
|
return unless project.protected_branch?(@branch_name)
|
|
|
|
|
|
|
|
if forced_push? && user_access.cannot_do_action?(:force_push_code_to_protected_branches)
|
|
|
|
return "You are not allowed to force push code to a protected branch on this project."
|
|
|
|
elsif Gitlab::Git.blank_ref?(@newrev) && user_access.cannot_do_action?(:remove_protected_branches)
|
|
|
|
return "You are not allowed to delete protected branches from this project."
|
|
|
|
end
|
|
|
|
|
|
|
|
if matching_merge_request?
|
|
|
|
if user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
|
|
|
|
return
|
|
|
|
else
|
|
|
|
"You are not allowed to merge code into protected branches on this project."
|
|
|
|
end
|
|
|
|
else
|
|
|
|
if user_access.can_push_to_branch?(@branch_name)
|
|
|
|
return
|
|
|
|
else
|
|
|
|
"You are not allowed to push code to protected branches on this project."
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def tag_checks
|
2016-11-17 14:48:23 -05:00
|
|
|
return if skip_authorization
|
|
|
|
|
2016-07-28 00:04:57 -04:00
|
|
|
tag_ref = Gitlab::Git.tag_name(@ref)
|
2016-07-18 04:16:56 -04:00
|
|
|
|
|
|
|
if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project)
|
|
|
|
"You are not allowed to change existing tags on this project."
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def push_checks
|
2016-11-17 14:48:23 -05:00
|
|
|
return if skip_authorization
|
|
|
|
|
2016-07-18 04:16:56 -04:00
|
|
|
if user_access.cannot_do_action?(:push_code)
|
|
|
|
"You are not allowed to push code to this project."
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def protected_tag?(tag_name)
|
|
|
|
project.repository.tag_exists?(tag_name)
|
|
|
|
end
|
|
|
|
|
|
|
|
def forced_push?
|
|
|
|
Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev)
|
|
|
|
end
|
|
|
|
|
|
|
|
def matching_merge_request?
|
|
|
|
Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|