0f0738e788
* upstream/master: (538 commits) Reject blank environment vcariables in Gitlab::Git::RevList Add online terminal documentation Add changelog entry Add terminal UI and controller actions Fix specs Even out padding on plus button in breadcrumb menu Update font size of detail page header to 14px Update CHANGELOG.md for 8.13.10 Update CHANGELOG.md for 8.14.5 Fix Route#rename_children behavior Remove inline-block styling from status Add terminals to the Kubernetes deployment service Add a ReactiveCaching concern for use in the KubernetesService Add xterm.js 2.1.0 and a wrapper class to the asset pipeline Remove unnecessary hidden svg elements for icons. Fix consistent typo in environment.js Use a block to insert extra check for authenticate_build! Align milestone column header with count number Add Wiki import to BB importer Make CI badge hitboxes better match container ...
87 lines
2.6 KiB
Ruby
87 lines
2.6 KiB
Ruby
module Gitlab
|
|
module Checks
|
|
class ChangeAccess
|
|
attr_reader :user_access, :project, :skip_authorization
|
|
|
|
def initialize(
|
|
change, user_access:, project:, env: {}, skip_authorization: false)
|
|
@oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
|
|
@branch_name = Gitlab::Git.branch_name(@ref)
|
|
@user_access = user_access
|
|
@project = project
|
|
@env = env
|
|
@skip_authorization = skip_authorization
|
|
end
|
|
|
|
def exec
|
|
error = push_checks || tag_checks || protected_branch_checks
|
|
|
|
if error
|
|
GitAccessStatus.new(false, error)
|
|
else
|
|
GitAccessStatus.new(true)
|
|
end
|
|
end
|
|
|
|
protected
|
|
|
|
def protected_branch_checks
|
|
return if skip_authorization
|
|
return unless @branch_name
|
|
return unless project.protected_branch?(@branch_name)
|
|
|
|
if forced_push? && user_access.cannot_do_action?(:force_push_code_to_protected_branches)
|
|
return "You are not allowed to force push code to a protected branch on this project."
|
|
elsif Gitlab::Git.blank_ref?(@newrev) && user_access.cannot_do_action?(:remove_protected_branches)
|
|
return "You are not allowed to delete protected branches from this project."
|
|
end
|
|
|
|
if matching_merge_request?
|
|
if user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
|
|
return
|
|
else
|
|
"You are not allowed to merge code into protected branches on this project."
|
|
end
|
|
else
|
|
if user_access.can_push_to_branch?(@branch_name)
|
|
return
|
|
else
|
|
"You are not allowed to push code to protected branches on this project."
|
|
end
|
|
end
|
|
end
|
|
|
|
def tag_checks
|
|
return if skip_authorization
|
|
|
|
tag_ref = Gitlab::Git.tag_name(@ref)
|
|
|
|
if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project)
|
|
"You are not allowed to change existing tags on this project."
|
|
end
|
|
end
|
|
|
|
def push_checks
|
|
return if skip_authorization
|
|
|
|
if user_access.cannot_do_action?(:push_code)
|
|
"You are not allowed to push code to this project."
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def protected_tag?(tag_name)
|
|
project.repository.tag_exists?(tag_name)
|
|
end
|
|
|
|
def forced_push?
|
|
Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env)
|
|
end
|
|
|
|
def matching_merge_request?
|
|
Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
|
|
end
|
|
end
|
|
end
|
|
end
|