diff options
| author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-06-25 18:37:32 +1000 |
|---|---|---|
| committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2018-07-27 12:46:34 +0100 |
| commit | 8a05ad3dc3b2ddeb54d8ce0449901b6b94cd99f5 (patch) | |
| tree | 8a73c059693f07d9729162161e4d2b01106bcdca | |
| parent | b69533624fa53655fa1ef901dfe805cac356afbf (diff) | |
| download | gitlab-ce-8a05ad3dc3b2ddeb54d8ce0449901b6b94cd99f5.tar.gz | |
PersonalAccessToken methods to lookup project restrictions
| -rw-r--r-- | app/models/personal_access_token.rb | 8 | ||||
| -rw-r--r-- | app/models/token_resource.rb | 4 | ||||
| -rw-r--r-- | spec/models/personal_access_token_spec.rb | 35 |
3 files changed, 47 insertions, 0 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb index 5dbdc03e642..7c56dee19ad 100644 --- a/app/models/personal_access_token.rb +++ b/app/models/personal_access_token.rb @@ -32,6 +32,14 @@ class PersonalAccessToken < ActiveRecord::Base !revoked? && !expired? end + def restricted_by_resource? + token_resources.exists? + end + + def allows_resource?(resource) + !restricted_by_resource? || token_resources.allowing_resource(resource).present? + end + def self.redis_getdel(user_id) Gitlab::Redis::SharedState.with do |redis| token = redis.get(redis_shared_state_key(user_id)) diff --git a/app/models/token_resource.rb b/app/models/token_resource.rb index 6cf4765dfba..c5791c6e679 100644 --- a/app/models/token_resource.rb +++ b/app/models/token_resource.rb @@ -4,4 +4,8 @@ class TokenResource < ActiveRecord::Base validates :personal_access_token, presence: true validates :project, presence: true + + def self.allowing_resource(resource) + where(project: resource) + end end diff --git a/spec/models/personal_access_token_spec.rb b/spec/models/personal_access_token_spec.rb index e452b0e3d7b..5fdf301117b 100644 --- a/spec/models/personal_access_token_spec.rb +++ b/spec/models/personal_access_token_spec.rb @@ -133,4 +133,39 @@ describe PersonalAccessToken do expect(personal_access_token.errors[:scopes].first).to eq "can only contain available scopes" end end + + describe "restricted_by_resource?" do + it "is true when the token is scoped to specific projects" do + token = create(:personal_access_token, projects: [create(:project)]) + + expect(token).to be_restricted_by_resource + end + + it "is false when no projects are linked" do + expect(described_class.new).not_to be_restricted_by_resource + expect(create(:personal_access_token)).not_to be_restricted_by_resource + end + end + + describe "allows_resource?" do + it "is true when the token isn't restricted by resource" do + subject = create(:personal_access_token) + + expect(subject.allows_resource?(create(:project))).to eq true + end + + context "when restricted to a project" do + let(:allowed_project) { create(:project) } + + subject { create(:personal_access_token, projects: [allowed_project]) } + + it "is true for projects the token grants access to" do + expect(subject.allows_resource?(allowed_project)).to eq true + end + + it "is false for projects to which access isn't allowed" do + expect(subject.allows_resource?(create(:project))).to eq false + end + end + end end |