diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-08-08 12:01:25 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-09-13 13:30:26 +0200 |
commit | 505dc808b3c0dc98413506446d368b91b56ff682 (patch) | |
tree | 1f6d5c7fe805bf5ff11a4f5696d73e11d71ca3a6 /app/controllers/jwt_controller.rb | |
parent | 45afdbef0de58f6de207b057e47151611d2ad7e6 (diff) | |
download | gitlab-ce-505dc808b3c0dc98413506446d368b91b56ff682.tar.gz |
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)
Diffstat (limited to 'app/controllers/jwt_controller.rb')
-rw-r--r-- | app/controllers/jwt_controller.rb | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 66ebdcc37a7..ca02df28b91 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -11,7 +11,7 @@ class JwtController < ApplicationController service = SERVICES[params[:service]] return head :not_found unless service - result = service.new(@project, @user, auth_params).execute + result = service.new(@project, @user, auth_params).execute(access_type: @access_type) render json: result, status: result[:http_status] end @@ -21,10 +21,10 @@ class JwtController < ApplicationController def authenticate_project_or_user authenticate_with_http_basic do |login, password| # if it's possible we first try to authenticate project with login and password - @project = authenticate_project(login, password) + @project, @user, @access_type = authenticate_build(login, password) return if @project - @user = authenticate_user(login, password) + @user, @access_type = authenticate_user(login, password) return if @user render_403 @@ -35,15 +35,17 @@ class JwtController < ApplicationController params.permit(:service, :scope, :account, :client_id) end - def authenticate_project(login, password) - if login == 'gitlab-ci-token' - Project.with_builds_enabled.find_by(runners_token: password) - end + def authenticate_build(login, password) + return unless login == 'gitlab-ci-token' + return unless password + + build = Ci::Build.running.find_by(token: password) + return build.project, build.user, :restricted if build end def authenticate_user(login, password) user = Gitlab::Auth.find_with_user_password(login, password) Gitlab::Auth.rate_limit!(request.ip, success: user.present?, login: login) - user + return user, :full end end |