Enforce "No One Can Push" during git operations.

1. The crux of this change is in `UserAccess`, which looks through all
   the access levels, asking each if the user has access to push/merge
   for the current project.

2. Update the `protected_branches` factory to create access levels as
   necessary.

3. Fix and augment `user_access` and `git_access` specs.

2 files changed, 20 insertions, 0 deletions

diff --git a/app/models/protected_branch/merge_access_level.rb b/app/models/protected_branch/merge_access_level.rb
index cfaa9c166fe..2d13d8c8381 100644
--- a/app/models/protected_branch/merge_access_level.rb
+++ b/app/models/protected_branch/merge_access_level.rb
@@ -1,5 +1,14 @@
 class ProtectedBranch::MergeAccessLevel < ActiveRecord::Base
   belongs_to :protected_branch
+  delegate :project, to: :protected_branch
 
   enum access_level: [:masters, :developers]
+
+  def check_access(user)
+    if masters?
+      user.can?(:push_code, project) if project.team.master?(user)
+    elsif developers?
+      user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user))
+    end
+  end
 end
diff --git a/app/models/protected_branch/push_access_level.rb b/app/models/protected_branch/push_access_level.rb
index 8861632c055..5a4a33556ce 100644
--- a/app/models/protected_branch/push_access_level.rb
+++ b/app/models/protected_branch/push_access_level.rb
@@ -1,5 +1,16 @@
 class ProtectedBranch::PushAccessLevel < ActiveRecord::Base
   belongs_to :protected_branch
+  delegate :project, to: :protected_branch
 
   enum access_level: [:masters, :developers, :no_one]
+
+  def check_access(user)
+    if masters?
+      user.can?(:push_code, project) if project.team.master?(user)
+    elsif developers?
+      user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user))
+    elsif no_one?
+      false
+    end
+  end
 end