Merge branch '18471-restrict-tag-pushes-protected-tags' into 'master'

Protected Tags

Closes #18471

See merge request !10356

4 files changed, 106 insertions, 69 deletions

diff --git a/app/controllers/projects/protected_branches_controller.rb b/app/controllers/projects/protected_branches_controller.rb
index a8cb07eb67a..ba24fa9acfe 100644
--- a/app/controllers/projects/protected_branches_controller.rb
+++ b/app/controllers/projects/protected_branches_controller.rb
@@ -1,58 +1,23 @@
-class Projects::ProtectedBranchesController < Projects::ApplicationController
-  include RepositorySettingsRedirect
-  # Authorize
-  before_action :require_non_empty_project
-  before_action :authorize_admin_project!
-  before_action :load_protected_branch, only: [:show, :update, :destroy]
+class Projects::ProtectedBranchesController < Projects::ProtectedRefsController
+  protected
 
-  layout "project_settings"
-
-  def index
-    redirect_to_repository_settings(@project)
-  end
-
-  def create
-    @protected_branch = ::ProtectedBranches::CreateService.new(@project, current_user, protected_branch_params).execute
-    unless @protected_branch.persisted?
-      flash[:alert] = @protected_branches.errors.full_messages.join(', ').html_safe
-    end
-    redirect_to_repository_settings(@project)
-  end
-
-  def show
-    @matching_branches = @protected_branch.matching(@project.repository.branches)
+  def project_refs
+    @project.repository.branches
   end
 
-  def update
-    @protected_branch = ::ProtectedBranches::UpdateService.new(@project, current_user, protected_branch_params).execute(@protected_branch)
-
-    if @protected_branch.valid?
-      respond_to do |format|
-        format.json { render json: @protected_branch, status: :ok }
-      end
-    else
-      respond_to do |format|
-        format.json { render json: @protected_branch.errors, status: :unprocessable_entity }
-      end
-    end
+  def create_service_class
+    ::ProtectedBranches::CreateService
   end
 
-  def destroy
-    @protected_branch.destroy
-
-    respond_to do |format|
-      format.html { redirect_to_repository_settings(@project) }
-      format.js { head :ok }
-    end
+  def update_service_class
+    ::ProtectedBranches::UpdateService
   end
 
-  private
-
-  def load_protected_branch
-    @protected_branch = @project.protected_branches.find(params[:id])
+  def load_protected_ref
+    @protected_ref = @project.protected_branches.find(params[:id])
   end
 
-  def protected_branch_params
+  def protected_ref_params
     params.require(:protected_branch).permit(:name,
                                              merge_access_levels_attributes: [:access_level, :id],
                                              push_access_levels_attributes: [:access_level, :id])
diff --git a/app/controllers/projects/protected_refs_controller.rb b/app/controllers/projects/protected_refs_controller.rb
new file mode 100644
index 00000000000..083a70968e5
--- /dev/null
+++ b/app/controllers/projects/protected_refs_controller.rb
@@ -0,0 +1,47 @@
+class Projects::ProtectedRefsController < Projects::ApplicationController
+  include RepositorySettingsRedirect
+
+  # Authorize
+  before_action :require_non_empty_project
+  before_action :authorize_admin_project!
+  before_action :load_protected_ref, only: [:show, :update, :destroy]
+
+  layout "project_settings"
+
+  def index
+    redirect_to_repository_settings(@project)
+  end
+
+  def create
+    protected_ref = create_service_class.new(@project, current_user, protected_ref_params).execute
+
+    unless protected_ref.persisted?
+      flash[:alert] = protected_ref.errors.full_messages.join(', ').html_safe
+    end
+
+    redirect_to_repository_settings(@project)
+  end
+
+  def show
+    @matching_refs = @protected_ref.matching(project_refs)
+  end
+
+  def update
+    @protected_ref = update_service_class.new(@project, current_user, protected_ref_params).execute(@protected_ref)
+
+    if @protected_ref.valid?
+      render json: @protected_ref, status: :ok
+    else
+      render json: @protected_ref.errors, status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    @protected_ref.destroy
+
+    respond_to do |format|
+      format.html { redirect_to_repository_settings(@project) }
+      format.js { head :ok }
+    end
+  end
+end
diff --git a/app/controllers/projects/protected_tags_controller.rb b/app/controllers/projects/protected_tags_controller.rb
new file mode 100644
index 00000000000..c61ddf145e6
--- /dev/null
+++ b/app/controllers/projects/protected_tags_controller.rb
@@ -0,0 +1,23 @@
+class Projects::ProtectedTagsController < Projects::ProtectedRefsController
+  protected
+
+  def project_refs
+    @project.repository.tags
+  end
+
+  def create_service_class
+    ::ProtectedTags::CreateService
+  end
+
+  def update_service_class
+    ::ProtectedTags::UpdateService
+  end
+
+  def load_protected_ref
+    @protected_ref = @project.protected_tags.find(params[:id])
+  end
+
+  def protected_ref_params
+    params.require(:protected_tag).permit(:name, create_access_levels_attributes: [:access_level, :id])
+  end
+end
diff --git a/app/controllers/projects/settings/repository_controller.rb b/app/controllers/projects/settings/repository_controller.rb
index b6ce4abca45..44de8a49593 100644
--- a/app/controllers/projects/settings/repository_controller.rb
+++ b/app/controllers/projects/settings/repository_controller.rb
@@ -4,46 +4,48 @@ module Projects
       before_action :authorize_admin_project!
 
       def show
-        @deploy_keys = DeployKeysPresenter
-          .new(@project, current_user: current_user)
+        @deploy_keys = DeployKeysPresenter.new(@project, current_user: current_user)
 
-        define_protected_branches
+        define_protected_refs
       end
 
       private
 
-      def define_protected_branches
-        load_protected_branches
+      def define_protected_refs
+        @protected_branches = @project.protected_branches.order(:name).page(params[:page])
+        @protected_tags = @project.protected_tags.order(:name).page(params[:page])
         @protected_branch = @project.protected_branches.new
+        @protected_tag = @project.protected_tags.new
         load_gon_index
       end
 
-      def load_protected_branches
-        @protected_branches = @project.protected_branches.order(:name).page(params[:page])
-      end
-
       def access_levels_options
         {
-          push_access_levels: {
-            roles: ProtectedBranch::PushAccessLevel.human_access_levels.map do |id, text|
-              { id: id, text: text, before_divider: true }
-            end
-          },
-          merge_access_levels: {
-            roles: ProtectedBranch::MergeAccessLevel.human_access_levels.map do |id, text|
-              { id: id, text: text, before_divider: true }
-            end
-          }
+          create_access_levels: levels_for_dropdown(ProtectedTag::CreateAccessLevel),
+          push_access_levels: levels_for_dropdown(ProtectedBranch::PushAccessLevel),
+          merge_access_levels: levels_for_dropdown(ProtectedBranch::MergeAccessLevel)
         }
       end
 
-      def open_branches
-        branches = @project.open_branches.map { |br| { text: br.name, id: br.name, title: br.name } }
-        { open_branches: branches }
+      def levels_for_dropdown(access_level_type)
+        roles = access_level_type.human_access_levels.map do |id, text|
+          { id: id, text: text, before_divider: true }
+        end
+        { roles: roles }
+      end
+
+      def protectable_tags_for_dropdown
+        { open_tags: ProtectableDropdown.new(@project, :tags).hash }
+      end
+
+      def protectable_branches_for_dropdown
+        { open_branches: ProtectableDropdown.new(@project, :branches).hash }
       end
 
       def load_gon_index
-        gon.push(open_branches.merge(access_levels_options))
+        gon.push(protectable_tags_for_dropdown)
+        gon.push(protectable_branches_for_dropdown)
+        gon.push(access_levels_options)
       end
     end
   end