Add latest changes from gitlab-org/gitlab@14-1-stable-eev14.1.0-rc42

4 files changed, 24 insertions, 1 deletions

diff --git a/app/services/releases/base_service.rb b/app/services/releases/base_service.rb
index 9dd0c9a007a..b4b493624e7 100644
--- a/app/services/releases/base_service.rb
+++ b/app/services/releases/base_service.rb
@@ -5,6 +5,8 @@ module Releases
     include BaseServiceUtility
     include Gitlab::Utils::StrongMemoize
 
+    ReleaseProtectedTagAccessError = Class.new(StandardError)
+
     attr_accessor :project, :current_user, :params
 
     def initialize(project, user = nil, params = {})
@@ -81,6 +83,15 @@ module Releases
       release.execute_hooks(action)
     end
 
+    def track_protected_tag_access_error!
+      unless ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name)
+        Gitlab::ErrorTracking.log_exception(
+          ReleaseProtectedTagAccessError.new,
+          project_id: project.id,
+          user_id: current_user.id)
+      end
+    end
+
     # overridden in EE
     def project_group_id; end
   end
diff --git a/app/services/releases/create_service.rb b/app/services/releases/create_service.rb
index 1096e207e02..2aac5644b84 100644
--- a/app/services/releases/create_service.rb
+++ b/app/services/releases/create_service.rb
@@ -7,6 +7,8 @@ module Releases
       return error('Release already exists', 409) if release
       return error("Milestone(s) not found: #{inexistent_milestones.join(', ')}", 400) if inexistent_milestones.any?
 
+      track_protected_tag_access_error!
+
       # should be found before the creation of new tag
       # because tag creation can spawn new pipeline
       # which won't have any data for evidence yet
@@ -42,7 +44,13 @@ module Releases
     end
 
     def allowed?
-      Ability.allowed?(current_user, :create_release, project)
+      Ability.allowed?(current_user, :create_release, project) && can_create_tag?
+    end
+
+    def can_create_tag?
+      return true unless ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, project, default_enabled: :yaml)
+
+      ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name)
     end
 
     def create_release(tag, evidence_pipeline)
diff --git a/app/services/releases/destroy_service.rb b/app/services/releases/destroy_service.rb
index 8abf9308689..36cf29c955d 100644
--- a/app/services/releases/destroy_service.rb
+++ b/app/services/releases/destroy_service.rb
@@ -6,6 +6,8 @@ module Releases
       return error('Release does not exist', 404) unless release
       return error('Access Denied', 403) unless allowed?
 
+      track_protected_tag_access_error!
+
       if release.destroy
         success(tag: existing_tag, release: release)
       else
diff --git a/app/services/releases/update_service.rb b/app/services/releases/update_service.rb
index 4e78120ac05..eda4b7102c0 100644
--- a/app/services/releases/update_service.rb
+++ b/app/services/releases/update_service.rb
@@ -7,6 +7,8 @@ module Releases
         return error
       end
 
+      track_protected_tag_access_error!
+
       if param_for_milestone_titles_provided?
         previous_milestones = release.milestones.map(&:title)
         params[:milestones] = milestones