diff options
| author | Mike Lewis <mlewis@gitlab.com> | 2019-06-07 20:13:17 +0000 |
|---|---|---|
| committer | Mike Lewis <mlewis@gitlab.com> | 2019-06-07 20:13:17 +0000 |
| commit | 99df0218f82b851b017bd0eea1b8351dc89df6ed (patch) | |
| tree | b01f884fbd1418dd5465fc1741f1620061ae8c5c /app/services/concerns/validates_classification_label.rb | |
| parent | 3eea6906747d10bea501426febaf15d2c209e06a (diff) | |
| parent | e07b2b277f79bc25cdce22ca2defba1ba80791aa (diff) | |
| download | gitlab-ce-99df0218f82b851b017bd0eea1b8351dc89df6ed.tar.gz | |
Merge branch 'master' into 'docs/fix-example-dot-net'
# Conflicts:
# doc/user/project/clusters/serverless/index.md
Diffstat (limited to 'app/services/concerns/validates_classification_label.rb')
| -rw-r--r-- | app/services/concerns/validates_classification_label.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/app/services/concerns/validates_classification_label.rb b/app/services/concerns/validates_classification_label.rb new file mode 100644 index 00000000000..ebcf5c24ff8 --- /dev/null +++ b/app/services/concerns/validates_classification_label.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module ValidatesClassificationLabel + def validate_classification_label(record, attribute_name) + return unless ::Gitlab::ExternalAuthorization.enabled? + return unless classification_label_change?(record, attribute_name) + + new_label = params[attribute_name].presence + new_label ||= ::Gitlab::CurrentSettings.current_application_settings + .external_authorization_service_default_label + + unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, new_label) + reason = rejection_reason_for_label(new_label) + message = s_('ClassificationLabelUnavailable|is unavailable: %{reason}') % { reason: reason } + record.errors.add(attribute_name, message) + end + end + + def rejection_reason_for_label(label) + reason_from_service = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label).presence + reason_from_service || _("Access to '%{classification_label}' not allowed") % { classification_label: label } + end + + def classification_label_change?(record, attribute_name) + params.key?(attribute_name) || record.new_record? + end +end |