summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2016-07-08 11:45:02 +0530
committerTimothy Andrew <mail@timothyandrew.net>2016-07-29 15:20:39 +0530
commit828f6eb6e50e6193fad9dbdd95d9dd56506e4064 (patch)
tree9a328d1698606d81c0bb7000ed68a4d01891f3f0 /app
parentab6096c17261605d835a4a8edae21f31d90026df (diff)
downloadgitlab-ce-828f6eb6e50e6193fad9dbdd95d9dd56506e4064.tar.gz
Enforce "No One Can Push" during git operations.
1. The crux of this change is in `UserAccess`, which looks through all the access levels, asking each if the user has access to push/merge for the current project. 2. Update the `protected_branches` factory to create access levels as necessary. 3. Fix and augment `user_access` and `git_access` specs.
Diffstat (limited to 'app')
-rw-r--r--app/models/protected_branch/merge_access_level.rb9
-rw-r--r--app/models/protected_branch/push_access_level.rb11
2 files changed, 20 insertions, 0 deletions
diff --git a/app/models/protected_branch/merge_access_level.rb b/app/models/protected_branch/merge_access_level.rb
index cfaa9c166fe..2d13d8c8381 100644
--- a/app/models/protected_branch/merge_access_level.rb
+++ b/app/models/protected_branch/merge_access_level.rb
@@ -1,5 +1,14 @@
class ProtectedBranch::MergeAccessLevel < ActiveRecord::Base
belongs_to :protected_branch
+ delegate :project, to: :protected_branch
enum access_level: [:masters, :developers]
+
+ def check_access(user)
+ if masters?
+ user.can?(:push_code, project) if project.team.master?(user)
+ elsif developers?
+ user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user))
+ end
+ end
end
diff --git a/app/models/protected_branch/push_access_level.rb b/app/models/protected_branch/push_access_level.rb
index 8861632c055..5a4a33556ce 100644
--- a/app/models/protected_branch/push_access_level.rb
+++ b/app/models/protected_branch/push_access_level.rb
@@ -1,5 +1,16 @@
class ProtectedBranch::PushAccessLevel < ActiveRecord::Base
belongs_to :protected_branch
+ delegate :project, to: :protected_branch
enum access_level: [:masters, :developers, :no_one]
+
+ def check_access(user)
+ if masters?
+ user.can?(:push_code, project) if project.team.master?(user)
+ elsif developers?
+ user.can?(:push_code, project) if (project.team.master?(user) || project.team.developer?(user))
+ elsif no_one?
+ false
+ end
+ end
end