diff options
Diffstat (limited to 'lib/gitlab/git_access.rb')
-rw-r--r-- | lib/gitlab/git_access.rb | 58 |
1 files changed, 39 insertions, 19 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index cba63b3c6c7..66fd7aaedea 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -1,7 +1,8 @@ # frozen_string_literal: true -# Check a user's access to perform a git action. All public methods in this -# class return an instance of `GitlabAccessStatus` +# Checks a user's access to perform a git action. +# All public methods in this class return an instance of `GitlabAccessStatus` + module Gitlab class GitAccess include Gitlab::Utils::StrongMemoize @@ -99,7 +100,7 @@ module Gitlab @logger ||= Checks::TimedLogger.new(timeout: INTERNAL_TIMEOUT, header: LOG_HEADER) end - def guest_can_download_code? + def guest_can_download? Guest.can?(download_ability, container) end @@ -107,10 +108,10 @@ module Gitlab authentication_abilities.include?(:download_code) && deploy_key? && deploy_key.has_access_to?(container) && - (project? && project&.repository_access_level != ::Featurable::DISABLED) + (project? && repository_access_level != ::Featurable::DISABLED) end - def user_can_download_code? + def user_can_download? authentication_abilities.include?(:download_code) && user_access.can_do_action?(download_ability) end @@ -125,10 +126,6 @@ module Gitlab raise NotImplementedError end - def build_can_download_code? - authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) - end - def request_from_ci_build? return false unless protocol == 'http' @@ -136,11 +133,36 @@ module Gitlab end def protocol_allowed? - Gitlab::ProtocolAccess.allowed?(protocol) + Gitlab::ProtocolAccess.allowed?(protocol, project: project) end private + # when accessing via the CI_JOB_TOKEN + def build_can_download_code? + authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code) + end + + def build_can_download? + build_can_download_code? + end + + def deploy_token_can_download? + deploy_token? + end + + # When overriding this method, be careful using super + # as deploy_token_can_download? and build_can_download? + # do not consider the download_ability in the inheriting class + # for deploy tokens and builds + def can_download? + deploy_key_can_download_code? || + deploy_token_can_download? || + build_can_download? || + user_can_download? || + guest_can_download? + end + def check_container! # Strict nil check, to avoid any surprises with Object#present? # which can delegate to #empty? @@ -273,15 +295,9 @@ module Gitlab end def check_download_access! - passed = deploy_key_can_download_code? || - deploy_token? || - user_can_download_code? || - build_can_download_code? || - guest_can_download_code? - - unless passed - raise ForbiddenError, download_forbidden_message - end + return if can_download? + + raise ForbiddenError, download_forbidden_message end def download_forbidden_message @@ -517,6 +533,10 @@ module Gitlab # overriden in EE def check_additional_conditions! end + + def repository_access_level + project&.repository_access_level + end end end |