blob: 5dd7720b67d8696c6309e5940c03a3efd7fe3b04 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
# frozen_string_literal: true
module Gitlab
module Checks
class TagCheck < BaseSingleChecker
ERROR_MESSAGES = {
change_existing_tags: 'You are not allowed to change existing tags on this project.',
update_protected_tag: 'Protected tags cannot be updated.',
delete_protected_tag: 'You are not allowed to delete protected tags from this project. '\
'Only a project maintainer or owner can delete a protected tag.',
delete_protected_tag_non_web: 'You can only delete protected tags using the web interface.',
create_protected_tag: 'You are not allowed to create this tag as it is protected.'
}.freeze
LOG_MESSAGES = {
tag_checks: "Checking if you are allowed to change existing tags...",
protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
}.freeze
def validate!
return unless tag_name
logger.log_timed(LOG_MESSAGES[:tag_checks]) do
if tag_exists? && user_access.cannot_do_action?(:admin_tag)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:change_existing_tags]
end
end
protected_tag_checks
end
private
def protected_tag_checks
logger.log_timed(LOG_MESSAGES[__method__]) do
return unless ProtectedTag.protected?(project, tag_name) # rubocop:disable Cop/AvoidReturnFromBlocks
raise(GitAccess::ForbiddenError, ERROR_MESSAGES[:update_protected_tag]) if update?
if deletion?
unless user_access.user.can?(:maintainer_access, project)
raise(GitAccess::ForbiddenError, ERROR_MESSAGES[:delete_protected_tag])
end
unless updated_from_web?
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:delete_protected_tag_non_web]
end
end
unless user_access.can_create_tag?(tag_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:create_protected_tag]
end
end
end
end
end
end
|