summaryrefslogtreecommitdiff
path: root/lib/gitlab/auth.rb
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-07-20 15:40:28 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-07-20 15:40:28 +0000
commitb595cb0c1dec83de5bdee18284abe86614bed33b (patch)
tree8c3d4540f193c5ff98019352f554e921b3a41a72 /lib/gitlab/auth.rb
parent2f9104a328fc8a4bddeaa4627b595166d24671d0 (diff)
downloadgitlab-ce-b595cb0c1dec83de5bdee18284abe86614bed33b.tar.gz
Add latest changes from gitlab-org/gitlab@15-2-stable-eev15.2.0-rc42
Diffstat (limited to 'lib/gitlab/auth.rb')
-rw-r--r--lib/gitlab/auth.rb22
1 files changed, 4 insertions, 18 deletions
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 5d5a431f206..6c3487c28ea 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -217,7 +217,7 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes)
if project && token.user.project_bot?
- return unless token_bot_in_resource?(token.user, project)
+ return unless can_read_project?(token.user, project)
end
if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
@@ -225,22 +225,8 @@ module Gitlab
end
end
- def token_bot_in_project?(user, project)
- project.bots.include?(user)
- end
-
- # rubocop: disable CodeReuse/ActiveRecord
-
- # A workaround for adding group-level automation is to add the bot user of a project access token as a group member.
- # In order to make project access tokens work this way during git authentication, we need to add an additional check for group membership.
- # This is a temporary workaround until service accounts are implemented.
- def token_bot_in_group?(user, project)
- project.group && project.group.members_with_parents.where(user_id: user.id).exists?
- end
- # rubocop: enable CodeReuse/ActiveRecord
-
- def token_bot_in_resource?(user, project)
- token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
+ def can_read_project?(user, project)
+ user.can?(:read_project, project)
end
def valid_oauth_token?(token)
@@ -323,7 +309,7 @@ module Gitlab
return unless build.project.builds_enabled?
if build.user
- return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))
+ return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && can_read_project?(build.user, build.project))
# If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
View Lorry Controller Status