Merge pull request #6190 from Popl7/add-better-branch-protection-against-history-rewrite-and-deletion

protect protected branched to force updates

2 files changed, 16 insertions, 9 deletions

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index bcf97574673..06c66ba0b35 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -10,6 +10,7 @@ module API
       #   project - project path with namespace
       #   action - git action (git-upload-pack or git-receive-pack)
       #   ref - branch name
+      #   forced_push - forced_push
       #
       get "/allowed" do
         # Check for *.wiki repositories.
@@ -35,7 +36,8 @@ module API
           project,
           params[:ref],
           params[:oldrev],
-          params[:newrev]
+          params[:newrev],
+          params[:forced_push]
         )
       end
 
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 1ab8f9213a3..a0401290cc0 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -5,7 +5,7 @@ module Gitlab
 
     attr_reader :params, :project, :git_cmd, :user
 
-    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil)
+    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false)
       case cmd
       when *DOWNLOAD_COMMANDS
         if actor.is_a? User
@@ -19,12 +19,12 @@ module Gitlab
         end
       when *PUSH_COMMANDS
         if actor.is_a? User
-          push_allowed?(actor, project, ref, oldrev, newrev)
+          push_allowed?(actor, project, ref, oldrev, newrev, forced_push)
         elsif actor.is_a? DeployKey
           # Deploy key not allowed to push
           return false
         elsif actor.is_a? Key
-          push_allowed?(actor.user, project, ref, oldrev, newrev)
+          push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push)
         else
           raise 'Wrong actor'
         end
@@ -41,13 +41,18 @@ module Gitlab
       end
     end
 
-    def push_allowed?(user, project, ref, oldrev, newrev)
+    def push_allowed?(user, project, ref, oldrev, newrev, forced_push)
       if user && user_allowed?(user)
+
         action = if project.protected_branch?(ref)
-                   :push_code_to_protected_branches
-                 else
-                   :push_code
-                 end
+                    if forced_push
+                      :force_push_code_to_protected_branches
+                    else
+                      :push_code_to_protected_branches
+                    end
+                  else
+                    :push_code
+                  end
         user.can?(action, project)
       else
         false