diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2016-07-08 09:15:02 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2016-07-29 12:50:39 +0300 |
| commit | 828f6eb6e50e6193fad9dbdd95d9dd56506e4064 (patch) | |
| tree | 9a328d1698606d81c0bb7000ed68a4d01891f3f0 /lib/gitlab/user_access.rb | |
| parent | ab6096c17261605d835a4a8edae21f31d90026df (diff) | |
Enforce "No One Can Push" during git operations.
1. The crux of this change is in `UserAccess`, which looks through all
the access levels, asking each if the user has access to push/merge
for the current project.
2. Update the `protected_branches` factory to create access levels as
necessary.
3. Fix and augment `user_access` and `git_access` specs.
Diffstat (limited to 'lib/gitlab/user_access.rb')
| -rw-r--r-- | lib/gitlab/user_access.rb | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index c0f85e9b3a8..3a69027368f 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -29,8 +29,9 @@ module Gitlab def can_push_to_branch?(ref) return false unless user - if project.protected_branch?(ref) && !project.developers_can_push_to_protected_branch?(ref) - user.can?(:push_code_to_protected_branches, project) + if project.protected_branch?(ref) + access_levels = project.protected_branches.matching(ref).map(&:push_access_level) + access_levels.any? { |access_level| access_level.check_access(user) } else user.can?(:push_code, project) end @@ -39,8 +40,9 @@ module Gitlab def can_merge_to_branch?(ref) return false unless user - if project.protected_branch?(ref) && !project.developers_can_merge_to_protected_branch?(ref) - user.can?(:push_code_to_protected_branches, project) + if project.protected_branch?(ref) + access_levels = project.protected_branches.matching(ref).map(&:merge_access_level) + access_levels.any? { |access_level| access_level.check_access(user) } else user.can?(:push_code, project) end |