Cleanup & tests for UserAccess#can_create_tag?
This commit is contained in:
James Edwards-Jones
parent
90c8bb8301
commit
1e15444ae6
|
|
@ -8,7 +8,7 @@ module ProtectedRef
|
||||||
|
|
||||||
delegate :matching, :matches?, :wildcard?, to: :ref_matcher
|
delegate :matching, :matches?, :wildcard?, to: :ref_matcher
|
||||||
|
|
||||||
def self.matching_refs_accesible_to(ref, user, action: :push)
|
def self.protected_ref_accessible_to?(ref, user, action: :push)
|
||||||
access_levels_for_ref(ref, action: action).any? do |access_level|
|
access_levels_for_ref(ref, action: action).any? do |access_level|
|
||||||
access_level.check_access(user)
|
access_level.check_access(user)
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,7 @@ module Gitlab
|
||||||
return "Protected tags cannot be deleted."
|
return "Protected tags cannot be deleted."
|
||||||
end
|
end
|
||||||
|
|
||||||
unless user_access.can_push_tag?(@tag_name)
|
unless user_access.can_create_tag?(@tag_name)
|
||||||
return "You are not allowed to create this tag as it is protected."
|
return "You are not allowed to create this tag as it is protected."
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -28,14 +28,11 @@ module Gitlab
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
#TODO: Test this
|
def can_create_tag?(ref)
|
||||||
#TODO move most to ProtectedTag::AccessChecker. Or maybe UserAccess::Protections::Tag
|
|
||||||
#TODO: then consider removing method, if it turns out can_access_git? and can?(:push_code are checked in change_access
|
|
||||||
def can_push_tag?(ref)
|
|
||||||
return false unless can_access_git?
|
return false unless can_access_git?
|
||||||
|
|
||||||
if ProtectedTag.protected?(project, ref)
|
if ProtectedTag.protected?(project, ref)
|
||||||
project.protected_tags.matching_refs_accesible_to(ref, user)
|
project.protected_tags.protected_ref_accessible_to?(ref, user)
|
||||||
else
|
else
|
||||||
user.can?(:push_code, project)
|
user.can?(:push_code, project)
|
||||||
end
|
end
|
||||||
|
|
@ -47,7 +44,7 @@ module Gitlab
|
||||||
if ProtectedBranch.protected?(project, ref)
|
if ProtectedBranch.protected?(project, ref)
|
||||||
return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
|
return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
|
||||||
|
|
||||||
has_access = project.protected_branches.matching_refs_accesible_to(ref, user, action: :push)
|
has_access = project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
|
||||||
|
|
||||||
has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
|
has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
|
||||||
else
|
else
|
||||||
|
|
@ -59,7 +56,7 @@ module Gitlab
|
||||||
return false unless can_access_git?
|
return false unless can_access_git?
|
||||||
|
|
||||||
if ProtectedBranch.protected?(project, ref)
|
if ProtectedBranch.protected?(project, ref)
|
||||||
project.protected_branches.matching_refs_accesible_to(ref, user, action: :merge)
|
project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
|
||||||
else
|
else
|
||||||
user.can?(:push_code, project)
|
user.can?(:push_code, project)
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -142,4 +142,74 @@ describe Gitlab::UserAccess, lib: true do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'can_create_tag?' do
|
||||||
|
describe 'push to none protected tag' do
|
||||||
|
it 'returns true if user is a master' do
|
||||||
|
project.add_user(user, :master)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?('random_tag')).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true if user is a developer' do
|
||||||
|
project.add_user(user, :developer)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?('random_tag')).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false if user is a reporter' do
|
||||||
|
project.add_user(user, :reporter)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?('random_tag')).to be_falsey
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
describe 'push to protected tag' do
|
||||||
|
let(:tag) { create(:protected_tag, project: project, name: "test") }
|
||||||
|
let(:not_existing_tag) { create :protected_tag, project: project }
|
||||||
|
|
||||||
|
it 'returns true if user is a master' do
|
||||||
|
project.add_user(user, :master)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(tag.name)).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false if user is a developer' do
|
||||||
|
project.add_user(user, :developer)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(tag.name)).to be_falsey
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false if user is a reporter' do
|
||||||
|
project.add_user(user, :reporter)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(tag.name)).to be_falsey
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'push to protected tag if allowed for developers' do
|
||||||
|
before do
|
||||||
|
@tag = create(:protected_tag, :developers_can_push, project: project)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true if user is a master' do
|
||||||
|
project.add_user(user, :master)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(@tag.name)).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true if user is a developer' do
|
||||||
|
project.add_user(user, :developer)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(@tag.name)).to be_truthy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns false if user is a reporter' do
|
||||||
|
project.add_user(user, :reporter)
|
||||||
|
|
||||||
|
expect(access.can_create_tag?(@tag.name)).to be_falsey
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue