Authorize user before creating/updating a protected branch.
1. This is a third line of defence (first in the view, second in the controller). 2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The other alternative is to `include API::Helpers`, but this brings with it a number of other methods that might cause conflicts. 3. Return a 403 if authorization fails.
This commit is contained in:
parent
01d190a84a
commit
6d841eaadc
|
@ -1,7 +1,5 @@
|
|||
module ProtectedBranches
|
||||
class BaseService < ::BaseService
|
||||
include API::Helpers
|
||||
|
||||
def initialize(project, current_user, params = {})
|
||||
super(project, current_user, params)
|
||||
@allowed_to_push = params[:allowed_to_push]
|
||||
|
@ -14,7 +12,7 @@ module ProtectedBranches
|
|||
set_push_access_levels!
|
||||
end
|
||||
|
||||
protected
|
||||
private
|
||||
|
||||
def set_merge_access_levels!
|
||||
case @allowed_to_merge
|
||||
|
@ -56,5 +54,14 @@ module ProtectedBranches
|
|||
'masters'
|
||||
end
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def to_boolean(value)
|
||||
return true if value =~ /^(true|t|yes|y|1|on)$/i
|
||||
return false if value =~ /^(false|f|no|n|0|off)$/i
|
||||
|
||||
nil
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,6 +3,8 @@ module ProtectedBranches
|
|||
attr_reader :protected_branch
|
||||
|
||||
def execute
|
||||
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
|
||||
|
||||
ProtectedBranch.transaction do
|
||||
@protected_branch = project.protected_branches.new(name: params[:name])
|
||||
@protected_branch.save!
|
||||
|
|
|
@ -4,12 +4,13 @@ module ProtectedBranches
|
|||
|
||||
def initialize(project, current_user, id, params = {})
|
||||
super(project, current_user, params)
|
||||
@id = id
|
||||
@protected_branch = ProtectedBranch.find(id)
|
||||
end
|
||||
|
||||
def execute
|
||||
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
|
||||
|
||||
ProtectedBranch.transaction do
|
||||
@protected_branch = ProtectedBranch.find(@id)
|
||||
set_access_levels!
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue