diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-03 21:08:54 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-03 21:08:54 +0300 |
| commit | 27484d14658e92177e059ef905e9562c71ad9a3f (patch) | |
| tree | 085e2a2720796fab97079e964ddf18ce391ad5f1 /lib/gitlab/git_access.rb | |
| parent | f5f6cb45c73c8aa059c3006a3696014522a41a4b (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/git_access.rb')
| -rw-r--r-- | lib/gitlab/git_access.rb | 50 |
1 files changed, 33 insertions, 17 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index cba63b3c6c7..865cac3691e 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -1,7 +1,8 @@ # frozen_string_literal: true -# Check a user's access to perform a git action. All public methods in this -# class return an instance of `GitlabAccessStatus` +# Checks a user's access to perform a git action. +# All public methods in this class return an instance of `GitlabAccessStatus` + module Gitlab class GitAccess include Gitlab::Utils::StrongMemoize @@ -99,7 +100,7 @@ module Gitlab @logger ||= Checks::TimedLogger.new(timeout: INTERNAL_TIMEOUT, header: LOG_HEADER) end - def guest_can_download_code? + def guest_can_download? Guest.can?(download_ability, container) end @@ -110,7 +111,7 @@ module Gitlab (project? && project&.repository_access_level != ::Featurable::DISABLED) end - def user_can_download_code? + def user_can_download? authentication_abilities.include?(:download_code) && user_access.can_do_action?(download_ability) end @@ -125,10 +126,6 @@ module Gitlab raise NotImplementedError end - def build_can_download_code? - authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) - end - def request_from_ci_build? return false unless protocol == 'http' @@ -141,6 +138,31 @@ module Gitlab private + # when accessing via the CI_JOB_TOKEN + def build_can_download_code? + authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) + end + + def build_can_download? + build_can_download_code? + end + + def deploy_token_can_download? + deploy_token? + end + + # When overriding this method, be careful using super + # as deploy_token_can_download? and build_can_download? + # do not consider the download_ability in the inheriting class + # for deploy tokens and builds + def can_download? + deploy_key_can_download_code? || + deploy_token_can_download? || + build_can_download? || + user_can_download? || + guest_can_download? + end + def check_container! # Strict nil check, to avoid any surprises with Object#present? # which can delegate to #empty? @@ -273,15 +295,9 @@ module Gitlab end def check_download_access! - passed = deploy_key_can_download_code? || - deploy_token? || - user_can_download_code? || - build_can_download_code? || - guest_can_download_code? - - unless passed - raise ForbiddenError, download_forbidden_message - end + return if can_download? + + raise ForbiddenError, download_forbidden_message end def download_forbidden_message |