diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 14:10:09 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 14:10:09 +0000 |
commit | a0a166e723005aea66e278c653542eb4e5cca11f (patch) | |
tree | bf9fb05985ff9e4046afe8d48733d5f41f10e7fd | |
parent | 859a6fb938bb9ee2a317c46dfa4fcc1af49608f0 (diff) | |
download | gitlab-ce-a0a166e723005aea66e278c653542eb4e5cca11f.tar.gz |
Add latest changes from gitlab-org/gitlab@13-9-stable-ee
-rw-r--r-- | app/models/concerns/protected_ref.rb | 16 | ||||
-rw-r--r-- | changelogs/unreleased/id-restrict-protected-rules.yml | 5 | ||||
-rw-r--r-- | spec/models/concerns/protected_ref_spec.rb | 77 |
3 files changed, 5 insertions, 93 deletions
diff --git a/app/models/concerns/protected_ref.rb b/app/models/concerns/protected_ref.rb index cf23a27244c..65195a8d5aa 100644 --- a/app/models/concerns/protected_ref.rb +++ b/app/models/concerns/protected_ref.rb @@ -40,26 +40,20 @@ module ProtectedRef end def protected_ref_accessible_to?(ref, user, project:, action:, protected_refs: nil) - all_matching_rules_allow?(ref, action: action, protected_refs: protected_refs) do |access_level| + access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level| access_level.check_access(user) end end def developers_can?(action, ref, protected_refs: nil) - all_matching_rules_allow?(ref, action: action, protected_refs: protected_refs) do |access_level| + access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level| access_level.access_level == Gitlab::Access::DEVELOPER end end - def all_matching_rules_allow?(ref, action:, protected_refs: nil, &block) - access_levels_groups = - self.matching(ref, protected_refs: protected_refs).map(&:"#{action}_access_levels") - - return false if access_levels_groups.blank? - - access_levels_groups.all? do |access_levels| - access_levels.any?(&block) - end + def access_levels_for_ref(ref, action:, protected_refs: nil) + self.matching(ref, protected_refs: protected_refs) + .flat_map(&:"#{action}_access_levels") end # Returns all protected refs that match the given ref name. diff --git a/changelogs/unreleased/id-restrict-protected-rules.yml b/changelogs/unreleased/id-restrict-protected-rules.yml deleted file mode 100644 index caa604bee2a..00000000000 --- a/changelogs/unreleased/id-restrict-protected-rules.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Most restrictive protected branch rule takes precedence -merge_request: 52319 -author: -type: fixed diff --git a/spec/models/concerns/protected_ref_spec.rb b/spec/models/concerns/protected_ref_spec.rb deleted file mode 100644 index 0a020736269..00000000000 --- a/spec/models/concerns/protected_ref_spec.rb +++ /dev/null @@ -1,77 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe ProtectedRef do - using RSpec::Parameterized::TableSyntax - - let_it_be(:project) { create(:project, :repository) } - let_it_be(:user) { create(:user, maintainer_projects: [project]) } - - where(:klass, :factory, :action) do - ProtectedBranch | :protected_branch | :push - ProtectedTag | :protected_tag | :create - end - - with_them do - describe '#protected_ref_accessible_to?' do - subject do - klass.protected_ref_accessible_to?('release', user, project: project, action: action) - end - - it 'user cannot do action if rules do not exist' do - is_expected.to be_falsy - end - - context 'the ref is protected' do - let!(:default_rule) { create(factory, :"developers_can_#{action}", project: project, name: 'release') } - - context 'all rules permit action' do - let!(:maintainers_can) { create(factory, :"maintainers_can_#{action}", project: project, name: 'release*') } - - it 'user can do action' do - is_expected.to be_truthy - end - end - - context 'one of the rules forbids action' do - let!(:no_one_can) { create(factory, :"no_one_can_#{action}", project: project, name: 'release*') } - - it 'user cannot do action' do - is_expected.to be_falsy - end - end - end - end - - describe '#developers_can?' do - subject do - klass.developers_can?(action, 'release') - end - - it 'developers cannot do action if rules do not exist' do - is_expected.to be_falsy - end - - context 'the ref is protected' do - let!(:default_rule) { create(factory, :"developers_can_#{action}", project: project, name: 'release') } - - context 'all rules permit developers to do action' do - let!(:developers_can) { create(factory, :"developers_can_#{action}", project: project, name: 'release*') } - - it 'developers can do action' do - is_expected.to be_truthy - end - end - - context 'one of the rules forbids developers to do action' do - let!(:maintainers_can) { create(factory, :"maintainers_can_#{action}", project: project, name: 'release*') } - - it 'developers cannot do action' do - is_expected.to be_falsy - end - end - end - end - end -end |