1 files changed, 52 insertions, 18 deletions

diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 3b922da7ced..24393f96d96 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -1,6 +1,13 @@
 module Gitlab
   class UserAccess
-    attr_reader :user, :project
+    extend Gitlab::Cache::RequestCache
+
+    request_cache_key do
+      [user&.id, project&.id]
+    end
+
+    attr_reader :user
+    attr_accessor :project
 
     def initialize(user, project: nil)
       @user = user
@@ -10,8 +17,10 @@ module Gitlab
     def can_do_action?(action)
       return false unless can_access_git?
 
-      @permission_cache ||= {}
-      @permission_cache[action] ||= user.can?(action, project)
+      permission_cache[action] =
+        permission_cache.fetch(action) do
+          user.can?(action, project)
+        end
     end
 
     def cannot_do_action?(action)
@@ -22,49 +31,52 @@ module Gitlab
       return false unless can_access_git?
 
       if user.requires_ldap_check? && user.try_obtain_ldap_lease
-        return false unless Gitlab::LDAP::Access.allowed?(user)
+        return false unless Gitlab::Auth::LDAP::Access.allowed?(user)
       end
 
       true
     end
 
-    def can_create_tag?(ref)
+    request_cache def can_create_tag?(ref)
       return false unless can_access_git?
 
-      if ProtectedTag.protected?(project, ref)
-        project.protected_tags.protected_ref_accessible_to?(ref, user, action: :create)
+      if protected?(ProtectedTag, project, ref)
+        protected_tag_accessible_to?(ref, action: :create)
       else
         user.can?(:push_code, project)
       end
     end
 
-    def can_delete_branch?(ref)
+    request_cache def can_delete_branch?(ref)
       return false unless can_access_git?
 
-      if ProtectedBranch.protected?(project, ref)
+      if protected?(ProtectedBranch, project, ref)
         user.can?(:delete_protected_branch, project)
       else
         user.can?(:push_code, project)
       end
     end
 
-    def can_push_to_branch?(ref)
-      return false unless can_access_git?
+    def can_update_branch?(ref)
+      can_push_to_branch?(ref) || can_merge_to_branch?(ref)
+    end
 
-      if ProtectedBranch.protected?(project, ref)
-        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
+    request_cache def can_push_to_branch?(ref)
+      return false unless can_access_git?
+      return false unless user.can?(:push_code, project) || project.branch_allows_maintainer_push?(user, ref)
 
-        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
+      if protected?(ProtectedBranch, project, ref)
+        project.user_can_push_to_empty_repo?(user) || protected_branch_accessible_to?(ref, action: :push)
       else
-        user.can?(:push_code, project)
+        true
       end
     end
 
-    def can_merge_to_branch?(ref)
+    request_cache def can_merge_to_branch?(ref)
       return false unless can_access_git?
 
-      if ProtectedBranch.protected?(project, ref)
-        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
+      if protected?(ProtectedBranch, project, ref)
+        protected_branch_accessible_to?(ref, action: :merge)
       else
         user.can?(:push_code, project)
       end
@@ -78,8 +90,30 @@ module Gitlab
 
     private
 
+    def permission_cache
+      @permission_cache ||= {}
+    end
+
     def can_access_git?
       user && user.can?(:access_git)
     end
+
+    def protected_branch_accessible_to?(ref, action:)
+      ProtectedBranch.protected_ref_accessible_to?(
+        ref, user,
+        action: action,
+        protected_refs: project.protected_branches)
+    end
+
+    def protected_tag_accessible_to?(ref, action:)
+      ProtectedTag.protected_ref_accessible_to?(
+        ref, user,
+        action: action,
+        protected_refs: project.protected_tags)
+    end
+
+    request_cache def protected?(kind, project, ref)
+      kind.protected?(project, ref)
+    end
   end
 end