kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Authorize user before creating/updating a protected branch. 

1. This is a third line of defence (first in the view, second in the
   controller).

2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The
   other alternative is to `include API::Helpers`, but this brings with it
   a number of other methods that might cause conflicts.

3. Return a 403 if authorization fails.
This commit is contained in:
Timothy Andrew 2016-07-27 10:14:38 +05:30
parent 01d190a84a
commit 6d841eaadc
3 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/services/protected_branches/base_service.rb
View File

@ -1,7 +1,5 @@
module ProtectedBranches
class BaseService < ::BaseService
include API::Helpers
def initialize(project, current_user, params = {})
super(project, current_user, params)
@allowed_to_push = params[:allowed_to_push]
@ -14,7 +12,7 @@ module ProtectedBranches
set_push_access_levels!
end
protected
private
def set_merge_access_levels!
case @allowed_to_merge
@ -56,5 +54,14 @@ module ProtectedBranches
'masters'
end
end
protected
def to_boolean(value)
return true if value =~ /^(true|t|yes|y|1|on)$/i
return false if value =~ /^(false|f|no|n|0|off)$/i
nil
end
end
end

2
app/services/protected_branches/create_service.rb
View File

@ -3,6 +3,8 @@ module ProtectedBranches
attr_reader :protected_branch
def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do
@protected_branch = project.protected_branches.new(name: params[:name])
@protected_branch.save!

5
app/services/protected_branches/update_service.rb
View File

@ -4,12 +4,13 @@ module ProtectedBranches
def initialize(project, current_user, id, params = {})
super(project, current_user, params)
@id = id
@protected_branch = ProtectedBranch.find(id)
end
def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do
@protected_branch = ProtectedBranch.find(@id)
set_access_levels!
end