diff options
author | Lin Jen-Shin <godfat@godfat.org> | 2016-11-11 20:40:28 +0800 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2016-11-11 20:40:28 +0800 |
commit | 05cc87052a7755da3d352409ef3ab024921593c4 (patch) | |
tree | 426052d6e83d4f2fd6abfb0c8fe08e4b9168c3eb /lib/gitlab/git_access.rb | |
parent | 5b5722e9099d63652ec47fc5599217c348e0f9dc (diff) | |
download | gitlab-ce-05cc87052a7755da3d352409ef3ab024921593c4.tar.gz |
Improve write access check for deploy key
Diffstat (limited to 'lib/gitlab/git_access.rb')
-rw-r--r-- | lib/gitlab/git_access.rb | 81 |
1 files changed, 36 insertions, 45 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 64b5c4b98dc..819e0657bdd 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -7,7 +7,7 @@ module Gitlab ERROR_MESSAGES = { upload: 'You are not allowed to upload code for this project.', download: 'You are not allowed to download code from this project.', - deploy_key: 'Deploy keys are not allowed to push code.', + deploy_key: 'This deploy key does not have write access to this project.', no_repo: 'A repository for this project does not exist yet.' } @@ -46,22 +46,18 @@ module Gitlab def download_access_check if user user_download_access_check - elsif deploy_key.nil? && !Guest.can?(:download_code, project) + elsif !Guest.can?(:download_code, project) raise UnauthorizedError, ERROR_MESSAGES[:download] end end def push_access_check(changes) - unless project.repository.exists? - return build_status_object(false, "A repository for this project does not exist yet.") - end - - if user - user_push_access_check(changes) - elsif deploy_key + if deploy_key deploy_key_push_access_check(changes) + elsif user + user_push_access_check(changes) else - raise UnauthorizedError, ERROR_MESSAGES[deploy_key ? :deploy_key : :upload] + raise UnauthorizedError, ERROR_MESSAGES[:upload] end end @@ -88,34 +84,19 @@ module Gitlab return # Allow access. end - unless project.repository.exists? - raise UnauthorizedError, ERROR_MESSAGES[:no_repo] - end - - changes_list = Gitlab::ChangesList.new(changes) - - # Iterate over all changes to find if user allowed all of them to be applied - changes_list.each do |change| - status = change_access_check(change) - unless status.allowed? - # If user does not have access to make at least one change - cancel all push - raise UnauthorizedError, status.message - end - end + check_repository_existence! + check_change_access!(changes) end def deploy_key_push_access_check(changes) - if actor.can_push? - build_status_object(true) + if deploy_key.can_push? + check_repository_existence! + check_change_access!(changes) else - build_status_object(false, "The deploy key does not have write access to the project.") + raise UnauthorizedError, ERROR_MESSAGES[:deploy_key] end end - def change_access_check(change) - Checks::ChangeAccess.new(change, user_access: user_access, project: project).exec - end - def protocol_allowed? Gitlab::ProtocolAccess.allowed?(protocol) end @@ -146,6 +127,27 @@ module Gitlab end end + def check_repository_existence! + unless project.repository.exists? + raise UnauthorizedError, ERROR_MESSAGES[:no_repo] + end + end + + def check_change_access!(changes) + changes_list = Gitlab::ChangesList.new(changes) + + # Iterate over all changes to find if user allowed all of them to be applied + changes_list.each do |change| + status = Checks::ChangeAccess.new(change, + user_access: user_access, + project: project).exec + unless status.allowed? + # If user does not have access to make at least one change - cancel all push + raise UnauthorizedError, status.message + end + end + end + def matching_merge_request?(newrev, branch_name) Checks::MatchingMergeRequest.new(newrev, branch_name, project).match? end @@ -154,20 +156,11 @@ module Gitlab actor if actor.is_a?(DeployKey) end - def deploy_key_can_read_project? - if deploy_key - return true if project.public? - deploy_key.projects.include?(project) - else - false - end - end - def can_read_project? - if user + if deploy_key + project.public? || deploy_key.projects.include?(project) + elsif user user_access.can_read_project? - elsif deploy_key - deploy_key_can_read_project? else Guest.can?(:read_project, project) end @@ -182,8 +175,6 @@ module Gitlab case actor when User actor - when DeployKey - nil when Key actor.user end |