diff options
author | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-02-06 20:25:36 +0300 |
---|---|---|
committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-02-06 21:38:10 +0300 |
commit | 8b4280cb25cd27c3b2c1cbdfb7ee871a7ebaa6d3 (patch) | |
tree | 0e0c3940e2449ddb7a2863e2a4fbc367b6ee216b /lib/gitlab/git_access.rb | |
parent | 1e56b3f476f9779ec747534e94156a6b8076209c (diff) |
Check ability ability before proceeding with project specific checks
Diffstat (limited to 'lib/gitlab/git_access.rb')
-rw-r--r-- | lib/gitlab/git_access.rb | 41 |
1 files changed, 23 insertions, 18 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index bc1e83f77b2..8ec3386184a 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -12,8 +12,9 @@ module Gitlab ERROR_MESSAGES = { upload: 'You are not allowed to upload code for this project.', download: 'You are not allowed to download code from this project.', - deploy_key_upload: - 'This deploy key does not have write access to this project.', + auth_upload: 'You are not allowed to upload code.', + auth_download: 'You are not allowed to download code.', + deploy_key_upload: 'This deploy key does not have write access to this project.', no_repo: 'A repository for this project does not exist yet.', project_not_found: 'The project you were looking for could not be found.', account_blocked: 'Your account has been blocked.', @@ -44,6 +45,7 @@ module Gitlab check_protocol! check_valid_actor! check_active_user! + check_authentication_abilities!(cmd) check_command_disabled!(cmd) check_command_existence!(cmd) check_db_accessibility!(cmd) @@ -104,6 +106,19 @@ module Gitlab end end + def check_authentication_abilities!(cmd) + case cmd + when *DOWNLOAD_COMMANDS + unless authentication_abilities.include?(:download_code) || authentication_abilities.include?(:build_download_code) + raise UnauthorizedError, ERROR_MESSAGES[:auth_download] + end + when *PUSH_COMMANDS + unless authentication_abilities.include?(:push_code) + raise UnauthorizedError, ERROR_MESSAGES[:auth_upload] + end + end + end + def check_project_accessibility! if project.blank? || !can_read_project? raise NotFoundError, ERROR_MESSAGES[:project_not_found] @@ -205,31 +220,21 @@ module Gitlab end if deploy_key - check_deploy_key_push_access! + unless deploy_key.can_push_to?(project) + raise UnauthorizedError, ERROR_MESSAGES[:deploy_key_upload] + end elsif user - check_user_push_access! + # User access is verified in check_change_access! else raise UnauthorizedError, ERROR_MESSAGES[:upload] end - check_change_access!(changes) - end + return if changes.blank? # Allow access this is needed for EE. - def check_user_push_access! - unless authentication_abilities.include?(:push_code) - raise UnauthorizedError, ERROR_MESSAGES[:upload] - end - end - - def check_deploy_key_push_access! - unless deploy_key.can_push_to?(project) - raise UnauthorizedError, ERROR_MESSAGES[:deploy_key_upload] - end + check_change_access!(changes) end def check_change_access!(changes) - return if changes.blank? # Allow access. - changes_list = Gitlab::ChangesList.new(changes) # Iterate over all changes to find if user allowed all of them to be applied |