Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/services/resource_access_tokens/create_service.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/services/resource_access_tokens/create_service.rb')
-rw-r--r--app/services/resource_access_tokens/create_service.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb
index 1c496aa5e77..824b1a8c377 100644
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
@@ -17,6 +17,8 @@ module ResourceAccessTokens
access_level = params[:access_level] || Gitlab::Access::MAINTAINER
return error("Could not provision owner access to project access token") if do_not_allow_owner_access_level_for_project_bot?(access_level)
+ return error("Access level of the token can't be greater the access level of the user who created the token") unless validate_access_level(access_level)
+
return error(s_('AccessTokens|Access token limit reached')) if reached_access_token_limit?
user = create_user
@@ -125,6 +127,14 @@ module ResourceAccessTokens
ServiceResponse.success(payload: { access_token: access_token })
end
+ def validate_access_level(access_level)
+ return true unless resource.is_a?(Project)
+ return true if current_user.bot?
+ return true if current_user.can?(:manage_owners, resource)
+
+ current_user.authorized_project?(resource, access_level.to_i)
+ end
+
def do_not_allow_owner_access_level_for_project_bot?(access_level)
resource.is_a?(Project) &&
access_level.to_i == Gitlab::Access::OWNER &&
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-31 22:09:15 +0300