Fix deploy keys permission check in internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
This commit is contained in:
parent
30e28a7e0c
commit
06b7907c2a
2 changed files with 37 additions and 10 deletions
|
@ -8,15 +8,7 @@ module Gitlab
|
|||
def check(actor, cmd, project, changes = nil)
|
||||
case cmd
|
||||
when *DOWNLOAD_COMMANDS
|
||||
if actor.is_a? User
|
||||
download_access_check(actor, project)
|
||||
elsif actor.is_a? DeployKey
|
||||
actor.projects.include?(project)
|
||||
elsif actor.is_a? Key
|
||||
download_access_check(actor.user, project)
|
||||
else
|
||||
raise 'Wrong actor'
|
||||
end
|
||||
download_access_check(actor, project)
|
||||
when *PUSH_COMMANDS
|
||||
if actor.is_a? User
|
||||
push_access_check(actor, project, changes)
|
||||
|
@ -32,7 +24,23 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
|
||||
def download_access_check(user, project)
|
||||
def download_access_check(actor, project)
|
||||
if actor.is_a?(User)
|
||||
user_download_access_check(actor, project)
|
||||
elsif actor.is_a?(DeployKey)
|
||||
if actor.projects.include?(project)
|
||||
build_status_object(true)
|
||||
else
|
||||
build_status_object(false, "Deploy key not allowed to access this project")
|
||||
end
|
||||
elsif actor.is_a? Key
|
||||
user_download_access_check(actor.user, project)
|
||||
else
|
||||
raise 'Wrong actor'
|
||||
end
|
||||
end
|
||||
|
||||
def user_download_access_check(user, project)
|
||||
if user && user_allowed?(user) && user.can?(:download_code, project)
|
||||
build_status_object(true)
|
||||
else
|
||||
|
|
|
@ -46,6 +46,25 @@ describe Gitlab::GitAccess do
|
|||
it { subject.allowed?.should be_false }
|
||||
end
|
||||
end
|
||||
|
||||
describe 'deploy key permissions' do
|
||||
let(:key) { create(:deploy_key) }
|
||||
|
||||
context 'pull code' do
|
||||
context 'allowed' do
|
||||
before { key.projects << project }
|
||||
subject { access.download_access_check(key, project) }
|
||||
|
||||
it { subject.allowed?.should be_true }
|
||||
end
|
||||
|
||||
context 'denied' do
|
||||
subject { access.download_access_check(key, project) }
|
||||
|
||||
it { subject.allowed?.should be_false }
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'push_access_check' do
|
||||
|
|
Loading…
Reference in a new issue