Branch unprotection restriction starting point
Explored Policy framework to create something I can use as a starting point.
This commit is contained in:
parent
391732a2c1
commit
1f7328f8ee
3 changed files with 76 additions and 1 deletions
15
app/policies/protected_branch_policy.rb
Normal file
15
app/policies/protected_branch_policy.rb
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
class ProtectedBranchPolicy < BasePolicy
|
||||||
|
delegate { @subject.project }
|
||||||
|
|
||||||
|
condition(:requires_admin_to_unprotect?, scope: :subject) do
|
||||||
|
@subject.name == 'master' && Gitlab::CurrentSettings.only_admins_can_unprotect_master_branch?
|
||||||
|
end
|
||||||
|
|
||||||
|
rule { can?(:admin_project) }.policy do
|
||||||
|
enable :update_protected_branch
|
||||||
|
end
|
||||||
|
|
||||||
|
rule { requires_admin_to_unprotect? & ~admin }.policy do
|
||||||
|
prevent :update_protected_branch
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,7 +1,7 @@
|
||||||
module ProtectedBranches
|
module ProtectedBranches
|
||||||
class UpdateService < BaseService
|
class UpdateService < BaseService
|
||||||
def execute(protected_branch)
|
def execute(protected_branch)
|
||||||
raise Gitlab::Access::AccessDeniedError unless can?(current_user, :admin_project, project)
|
raise Gitlab::Access::AccessDeniedError unless can?(current_user, :update_protected_branch, protected_branch)
|
||||||
|
|
||||||
protected_branch.update(params)
|
protected_branch.update(params)
|
||||||
protected_branch
|
protected_branch
|
||||||
|
|
60
spec/policies/protected_branch_policy_spec.rb
Normal file
60
spec/policies/protected_branch_policy_spec.rb
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe ProtectedBranchPolicy do
|
||||||
|
let(:user) { create(:user) }
|
||||||
|
let(:name) { 'feature' }
|
||||||
|
let(:protected_branch) { create(:protected_branch, name: name) }
|
||||||
|
let(:project) { protected_branch.project }
|
||||||
|
|
||||||
|
subject { described_class.new(user, protected_branch) }
|
||||||
|
|
||||||
|
context 'when unprotection restriction feature is disabled' do
|
||||||
|
it "branches can't be updated by guests" do
|
||||||
|
project.add_guest(user)
|
||||||
|
|
||||||
|
is_expected.to be_disallowed(:update_protected_branch)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'branches can be updated via access to project settings' do
|
||||||
|
project.add_master(user)
|
||||||
|
|
||||||
|
is_expected.to be_allowed(:update_protected_branch)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when unprotection restriction feature is enabled' do
|
||||||
|
before do
|
||||||
|
# stub_licensed_features(unprotection_restrictions: true)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'and unprotection is limited to admins' do #TODO: remove this is temporary exploration
|
||||||
|
before do
|
||||||
|
stub_ee_application_setting(only_admins_can_unprotect_master_branch: true)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'and the protection is for master' do
|
||||||
|
let(:name) { 'master' }
|
||||||
|
|
||||||
|
it 'project owners cannot remove protections' do
|
||||||
|
project.add_master(user)
|
||||||
|
|
||||||
|
is_expected.not_to be_allowed(:update_protected_branch)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'admins can remove protections' do
|
||||||
|
user.update!(admin: true)
|
||||||
|
|
||||||
|
is_expected.to be_allowed(:update_protected_branch)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context "and the protection isn't for master" do
|
||||||
|
it 'project owners can remove protections' do
|
||||||
|
project.add_master(user)
|
||||||
|
|
||||||
|
is_expected.to be_allowed(:update_protected_branch)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue