diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2016-07-08 11:45:02 +0530 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2016-07-29 15:20:39 +0530 |
commit | 828f6eb6e50e6193fad9dbdd95d9dd56506e4064 (patch) | |
tree | 9a328d1698606d81c0bb7000ed68a4d01891f3f0 /app | |
parent | ab6096c17261605d835a4a8edae21f31d90026df (diff) | |
download | gitlab-ce-828f6eb6e50e6193fad9dbdd95d9dd56506e4064.tar.gz |
Enforce "No One Can Push" during git operations.
1. The crux of this change is in `UserAccess`, which looks through all
the access levels, asking each if the user has access to push/merge
for the current project.
2. Update the `protected_branches` factory to create access levels as
necessary.
3. Fix and augment `user_access` and `git_access` specs.
Diffstat (limited to 'app')
-rw-r--r-- | app/models/protected_branch/merge_access_level.rb | 9 | ||||
-rw-r--r-- | app/models/protected_branch/push_access_level.rb | 11 |
2 files changed, 20 insertions, 0 deletions
diff --git a/app/models/protected_branch/merge_access_level.rb b/app/models/protected_branch/merge_access_level.rb index cfaa9c166fe..2d13d8c8381 100644 --- a/app/models/protected_branch/merge_access_level.rb +++ b/app/models/protected_branch/merge_access_level.rb @@ -1,5 +1,14 @@ class ProtectedBranch::MergeAccessLevel < ActiveRecord::Base belongs_to :protected_branch + delegate :project, to: :protected_branch enum access_level: [:masters, :developers] + + def check_access(user) + if masters? + user.can?(:push_code, project) if project.team.master?(user) + elsif developers? + user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user)) + end + end end diff --git a/app/models/protected_branch/push_access_level.rb b/app/models/protected_branch/push_access_level.rb index 8861632c055..5a4a33556ce 100644 --- a/app/models/protected_branch/push_access_level.rb +++ b/app/models/protected_branch/push_access_level.rb @@ -1,5 +1,16 @@ class ProtectedBranch::PushAccessLevel < ActiveRecord::Base belongs_to :protected_branch + delegate :project, to: :protected_branch enum access_level: [:masters, :developers, :no_one] + + def check_access(user) + if masters? + user.can?(:push_code, project) if project.team.master?(user) + elsif developers? + user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user)) + elsif no_one? + false + end + end end |