Fix deploy keys permission check in internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
Dmitriy Zaporozhets
parent
30e28a7e0c
commit
06b7907c2a
2 changed files with 37 additions and 10 deletions
|
|
@ -8,15 +8,7 @@ module Gitlab
|
||||||
def check(actor, cmd, project, changes = nil)
|
def check(actor, cmd, project, changes = nil)
|
||||||
case cmd
|
case cmd
|
||||||
when *DOWNLOAD_COMMANDS
|
when *DOWNLOAD_COMMANDS
|
||||||
if actor.is_a? User
|
download_access_check(actor, project)
|
||||||
download_access_check(actor, project)
|
|
||||||
elsif actor.is_a? DeployKey
|
|
||||||
actor.projects.include?(project)
|
|
||||||
elsif actor.is_a? Key
|
|
||||||
download_access_check(actor.user, project)
|
|
||||||
else
|
|
||||||
raise 'Wrong actor'
|
|
||||||
end
|
|
||||||
when *PUSH_COMMANDS
|
when *PUSH_COMMANDS
|
||||||
if actor.is_a? User
|
if actor.is_a? User
|
||||||
push_access_check(actor, project, changes)
|
push_access_check(actor, project, changes)
|
||||||
|
|
@ -32,7 +24,23 @@ module Gitlab
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def download_access_check(user, project)
|
def download_access_check(actor, project)
|
||||||
|
if actor.is_a?(User)
|
||||||
|
user_download_access_check(actor, project)
|
||||||
|
elsif actor.is_a?(DeployKey)
|
||||||
|
if actor.projects.include?(project)
|
||||||
|
build_status_object(true)
|
||||||
|
else
|
||||||
|
build_status_object(false, "Deploy key not allowed to access this project")
|
||||||
|
end
|
||||||
|
elsif actor.is_a? Key
|
||||||
|
user_download_access_check(actor.user, project)
|
||||||
|
else
|
||||||
|
raise 'Wrong actor'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def user_download_access_check(user, project)
|
||||||
if user && user_allowed?(user) && user.can?(:download_code, project)
|
if user && user_allowed?(user) && user.can?(:download_code, project)
|
||||||
build_status_object(true)
|
build_status_object(true)
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,25 @@ describe Gitlab::GitAccess do
|
||||||
it { subject.allowed?.should be_false }
|
it { subject.allowed?.should be_false }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'deploy key permissions' do
|
||||||
|
let(:key) { create(:deploy_key) }
|
||||||
|
|
||||||
|
context 'pull code' do
|
||||||
|
context 'allowed' do
|
||||||
|
before { key.projects << project }
|
||||||
|
subject { access.download_access_check(key, project) }
|
||||||
|
|
||||||
|
it { subject.allowed?.should be_true }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'denied' do
|
||||||
|
subject { access.download_access_check(key, project) }
|
||||||
|
|
||||||
|
it { subject.allowed?.should be_false }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'push_access_check' do
|
describe 'push_access_check' do
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue