Protected Tags enforced over git

author: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-03-31 17:57:29 +0100
committer: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-03-31 19:37:38 +0100
commit: e3fbcd0093b07bbc084061992bb8ae6bd4343d52 (patch)
tree: e61b5e5c446979ee627d0fa18bf52d7b0e4d3ca4 /lib/gitlab/checks/change_access.rb
parent: b5fce1d5ac87546e8f31fb0ef6f6c4d514670198 (diff)
download: gitlab-ce-e3fbcd0093b07bbc084061992bb8ae6bd4343d52.tar.gz
1 files changed, 32 insertions, 5 deletions
diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index c85f79127bc..0d8f114cc59 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -10,6 +10,7 @@ module Gitlab
       )
         @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
         @branch_name = Gitlab::Git.branch_name(@ref)
+        @tag_name = Gitlab::Git.tag_name(@ref)
         @user_access = user_access
         @project = project
         @env = env
@@ -36,7 +37,7 @@ module Gitlab
 
         if forced_push?
           return "You are not allowed to force push code to a protected branch on this project."
-        elsif Gitlab::Git.blank_ref?(@newrev)
+        elsif blank_ref?
           return "You are not allowed to delete protected branches from this project."
         end
 
@@ -58,11 +59,33 @@ module Gitlab
       def tag_checks
         return if skip_authorization
 
-        tag_ref = Gitlab::Git.tag_name(@ref)
+        return unless @tag_name
 
-        if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project)
+        if tag_exists? && user_access.cannot_do_action?(:admin_project)
           "You are not allowed to change existing tags on this project."
         end
+
+        protected_tag_checks
+      end
+
+      def protected_tag_checks
+        return unless tag_protected?
+
+        if forced_push?
+          return "You are not allowed to force push protected tags." #TODO: Wording, 'not allowed to update proteted tags'?
+        end
+
+        if Gitlab::Git.blank_ref?(@newrev)
+          return "You are not allowed to delete protected tags." #TODO: Wording, do these need to mention 'you' if the rule applies to everyone
+        end
+
+        if !user_access.can_push_tag?(@tag_name)
+          return "You are not allowed to create protected tags on this project." #TODO: Wording, it is a specific tag which you don't have access too, not all protected tags which might have different levels
+        end
+      end
+
+      def tag_protected?
+        project.protected_tag?(@tag_name)
       end
 
       def push_checks
@@ -75,14 +98,18 @@ module Gitlab
 
       private
 
-      def protected_tag?(tag_name)
-        project.repository.tag_exists?(tag_name)
+      def tag_exists?
+        project.repository.tag_exists?(@tag_name)
       end
 
       def forced_push?
         Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env)
       end
 
+      def blank_ref?
+        Gitlab::Git.blank_ref?(@newrev)
+      end
+
       def matching_merge_request?
         Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
       end
author	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-03-31 17:57:29 +0100
committer	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-03-31 19:37:38 +0100
commit	e3fbcd0093b07bbc084061992bb8ae6bd4343d52 (patch)
tree	e61b5e5c446979ee627d0fa18bf52d7b0e4d3ca4 /lib/gitlab/checks/change_access.rb
parent	b5fce1d5ac87546e8f31fb0ef6f6c4d514670198 (diff)
download	gitlab-ce-e3fbcd0093b07bbc084061992bb8ae6bd4343d52.tar.gz