diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-20 09:55:51 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-20 09:55:51 +0000 |
commit | e8d2c2579383897a1dd7f9debd359abe8ae8373d (patch) | |
tree | c42be41678c2586d49a75cabce89322082698334 /app/services/releases | |
parent | fc845b37ec3a90aaa719975f607740c22ba6a113 (diff) | |
download | gitlab-ce-e8d2c2579383897a1dd7f9debd359abe8ae8373d.tar.gz |
Add latest changes from gitlab-org/gitlab@14-1-stable-eev14.1.0-rc42
Diffstat (limited to 'app/services/releases')
-rw-r--r-- | app/services/releases/base_service.rb | 11 | ||||
-rw-r--r-- | app/services/releases/create_service.rb | 10 | ||||
-rw-r--r-- | app/services/releases/destroy_service.rb | 2 | ||||
-rw-r--r-- | app/services/releases/update_service.rb | 2 |
4 files changed, 24 insertions, 1 deletions
diff --git a/app/services/releases/base_service.rb b/app/services/releases/base_service.rb index 9dd0c9a007a..b4b493624e7 100644 --- a/app/services/releases/base_service.rb +++ b/app/services/releases/base_service.rb @@ -5,6 +5,8 @@ module Releases include BaseServiceUtility include Gitlab::Utils::StrongMemoize + ReleaseProtectedTagAccessError = Class.new(StandardError) + attr_accessor :project, :current_user, :params def initialize(project, user = nil, params = {}) @@ -81,6 +83,15 @@ module Releases release.execute_hooks(action) end + def track_protected_tag_access_error! + unless ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name) + Gitlab::ErrorTracking.log_exception( + ReleaseProtectedTagAccessError.new, + project_id: project.id, + user_id: current_user.id) + end + end + # overridden in EE def project_group_id; end end diff --git a/app/services/releases/create_service.rb b/app/services/releases/create_service.rb index 1096e207e02..2aac5644b84 100644 --- a/app/services/releases/create_service.rb +++ b/app/services/releases/create_service.rb @@ -7,6 +7,8 @@ module Releases return error('Release already exists', 409) if release return error("Milestone(s) not found: #{inexistent_milestones.join(', ')}", 400) if inexistent_milestones.any? + track_protected_tag_access_error! + # should be found before the creation of new tag # because tag creation can spawn new pipeline # which won't have any data for evidence yet @@ -42,7 +44,13 @@ module Releases end def allowed? - Ability.allowed?(current_user, :create_release, project) + Ability.allowed?(current_user, :create_release, project) && can_create_tag? + end + + def can_create_tag? + return true unless ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, project, default_enabled: :yaml) + + ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name) end def create_release(tag, evidence_pipeline) diff --git a/app/services/releases/destroy_service.rb b/app/services/releases/destroy_service.rb index 8abf9308689..36cf29c955d 100644 --- a/app/services/releases/destroy_service.rb +++ b/app/services/releases/destroy_service.rb @@ -6,6 +6,8 @@ module Releases return error('Release does not exist', 404) unless release return error('Access Denied', 403) unless allowed? + track_protected_tag_access_error! + if release.destroy success(tag: existing_tag, release: release) else diff --git a/app/services/releases/update_service.rb b/app/services/releases/update_service.rb index 4e78120ac05..eda4b7102c0 100644 --- a/app/services/releases/update_service.rb +++ b/app/services/releases/update_service.rb @@ -7,6 +7,8 @@ module Releases return error end + track_protected_tag_access_error! + if param_for_milestone_titles_provided? previous_milestones = release.milestones.map(&:title) params[:milestones] = milestones |