diff options
author | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-03-31 17:57:29 +0100 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-03-31 19:37:38 +0100 |
commit | e3fbcd0093b07bbc084061992bb8ae6bd4343d52 (patch) | |
tree | e61b5e5c446979ee627d0fa18bf52d7b0e4d3ca4 /lib/gitlab/checks | |
parent | b5fce1d5ac87546e8f31fb0ef6f6c4d514670198 (diff) | |
download | gitlab-ce-e3fbcd0093b07bbc084061992bb8ae6bd4343d52.tar.gz |
Protected Tags enforced over git
Diffstat (limited to 'lib/gitlab/checks')
-rw-r--r-- | lib/gitlab/checks/change_access.rb | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb index c85f79127bc..0d8f114cc59 100644 --- a/lib/gitlab/checks/change_access.rb +++ b/lib/gitlab/checks/change_access.rb @@ -10,6 +10,7 @@ module Gitlab ) @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref) @branch_name = Gitlab::Git.branch_name(@ref) + @tag_name = Gitlab::Git.tag_name(@ref) @user_access = user_access @project = project @env = env @@ -36,7 +37,7 @@ module Gitlab if forced_push? return "You are not allowed to force push code to a protected branch on this project." - elsif Gitlab::Git.blank_ref?(@newrev) + elsif blank_ref? return "You are not allowed to delete protected branches from this project." end @@ -58,11 +59,33 @@ module Gitlab def tag_checks return if skip_authorization - tag_ref = Gitlab::Git.tag_name(@ref) + return unless @tag_name - if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project) + if tag_exists? && user_access.cannot_do_action?(:admin_project) "You are not allowed to change existing tags on this project." end + + protected_tag_checks + end + + def protected_tag_checks + return unless tag_protected? + + if forced_push? + return "You are not allowed to force push protected tags." #TODO: Wording, 'not allowed to update proteted tags'? + end + + if Gitlab::Git.blank_ref?(@newrev) + return "You are not allowed to delete protected tags." #TODO: Wording, do these need to mention 'you' if the rule applies to everyone + end + + if !user_access.can_push_tag?(@tag_name) + return "You are not allowed to create protected tags on this project." #TODO: Wording, it is a specific tag which you don't have access too, not all protected tags which might have different levels + end + end + + def tag_protected? + project.protected_tag?(@tag_name) end def push_checks @@ -75,14 +98,18 @@ module Gitlab private - def protected_tag?(tag_name) - project.repository.tag_exists?(tag_name) + def tag_exists? + project.repository.tag_exists?(@tag_name) end def forced_push? Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env) end + def blank_ref? + Gitlab::Git.blank_ref?(@newrev) + end + def matching_merge_request? Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match? end |