Fix deploy keys permission check in internal api

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-12-01 16:25:10 +02:00 · 2014-12-01 16:25:10 +02:00 · 06b7907c2a
commit 06b7907c2a
parent 30e28a7e0c
2 changed files with 37 additions and 10 deletions
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@ -8,15 +8,7 @@ module Gitlab
    def check(actor, cmd, project, changes = nil)
      case cmd
      when *DOWNLOAD_COMMANDS
-        if actor.is_a? User
        download_access_check(actor, project)
-        elsif actor.is_a? DeployKey
-          actor.projects.include?(project)
-        elsif actor.is_a? Key
-          download_access_check(actor.user, project)
-        else
-          raise 'Wrong actor'
-        end
      when *PUSH_COMMANDS
        if actor.is_a? User
          push_access_check(actor, project, changes)
@ -32,7 +24,23 @@ module Gitlab
      end
    end

-    def download_access_check(user, project)
+    def download_access_check(actor, project)
+      if actor.is_a?(User)
+        user_download_access_check(actor, project)
+      elsif actor.is_a?(DeployKey)
+        if actor.projects.include?(project)
+          build_status_object(true)
+        else
+          build_status_object(false, "Deploy key not allowed to access this project")
+        end
+      elsif actor.is_a? Key
+        user_download_access_check(actor.user, project)
+      else
+        raise 'Wrong actor'
+      end
+    end
+
+    def user_download_access_check(user, project)
      if user && user_allowed?(user) && user.can?(:download_code, project)
        build_status_object(true)
      else
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@ -46,6 +46,25 @@ describe Gitlab::GitAccess do
        it { subject.allowed?.should be_false }
      end
    end
+
+    describe 'deploy key permissions' do
+      let(:key) { create(:deploy_key) }
+
+      context 'pull code' do
+        context 'allowed' do
+          before { key.projects << project }
+          subject { access.download_access_check(key, project) }
+
+          it { subject.allowed?.should be_true }
+        end
+
+        context 'denied' do
+          subject { access.download_access_check(key, project) }
+
+          it { subject.allowed?.should be_false }
+        end
+      end
+    end
  end

  describe 'push_access_check' do