Enforce "No One Can Push" during git operations.

1. The crux of this change is in `UserAccess`, which looks through all the access levels, asking each if the user has access to push/merge for the current project. 2. Update the `protected_branches` factory to create access levels as necessary. 3. Fix and augment `user_access` and `git_access` specs.
author: Timothy Andrew <mail@timothyandrew.net> 2016-07-08 11:45:02 +0530
committer: Timothy Andrew <mail@timothyandrew.net> 2016-07-29 15:20:39 +0530
commit: 828f6eb6e50e6193fad9dbdd95d9dd56506e4064 (patch)
tree: 9a328d1698606d81c0bb7000ed68a4d01891f3f0 /spec/lib/gitlab/git_access_spec.rb
parent: ab6096c17261605d835a4a8edae21f31d90026df (diff)
download: gitlab-ce-828f6eb6e50e6193fad9dbdd95d9dd56506e4064.tar.gz
1 files changed, 44 insertions, 34 deletions
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index ae064a878b0..324bb500025 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -217,29 +217,32 @@ describe Gitlab::GitAccess, lib: true do
         run_permission_checks(permissions_matrix)
       end
 
-      context "when 'developers can push' is turned on for the #{protected_branch_type} protected branch" do
-        before { create(:protected_branch, name: protected_branch_name, developers_can_push: true, project: project) }
+      context "when developers are allowed to push into the #{protected_branch_type} protected branch" do
+        before { create(:protected_branch, :developers_can_push, name: protected_branch_name, project: project) }
 
         run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
       end
 
-      context "when 'developers can merge' is turned on for the #{protected_branch_type} protected branch" do
-        before { create(:protected_branch, name: protected_branch_name, developers_can_merge: true, project: project) }
+      context "developers are allowed to merge into the #{protected_branch_type} protected branch" do
+        before { create(:protected_branch, :developers_can_merge, name: protected_branch_name, project: project) }
 
         context "when a merge request exists for the given source/target branch" do
           context "when the merge request is in progress" do
             before do
-              create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
+              create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature',
+                     state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
             end
 
-            run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: true }))
-          end
+            context "when the merge request is not in progress" do
+              before do
+                create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', in_progress_merge_commit_sha: nil)
+              end
 
-          context "when the merge request is not in progress" do
-            before do
-              create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', in_progress_merge_commit_sha: nil)
+              run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: false }))
             end
+          end
 
+          context "when a merge request does not exist for the given source/target branch" do
             run_permission_checks(permissions_matrix.deep_merge(developer: { merge_into_protected_branch: false }))
           end
         end
@@ -249,44 +252,51 @@ describe Gitlab::GitAccess, lib: true do
         end
       end
 
-      context "when 'developers can merge' and 'developers can push' are turned on for the #{protected_branch_type} protected branch" do
-        before { create(:protected_branch, name: protected_branch_name, developers_can_merge: true, developers_can_push: true, project: project) }
+      context "when developers are allowed to push and merge into the #{protected_branch_type} protected branch" do
+        before { create(:protected_branch, :developers_can_merge, :developers_can_push, name: protected_branch_name, project: project) }
 
         run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
       end
     end
 
-    describe 'deploy key permissions' do
-      let(:key) { create(:deploy_key) }
-      let(:actor) { key }
+    context "when no one is allowed to push to the #{protected_branch_name} protected branch" do
+      before { create(:protected_branch, :no_one_can_push, name: protected_branch_name, project: project) }
 
-      context 'push code' do
-        subject { access.check('git-receive-pack') }
+      run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
+                                                          master: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
+    end
+  end
 
-        context 'when project is authorized' do
-          before { key.projects << project }
+  describe 'deploy key permissions' do
+    let(:key) { create(:deploy_key) }
+    let(:actor) { key }
 
-          it { expect(subject).not_to be_allowed }
-        end
+    context 'push code' do
+      subject { access.check('git-receive-pack') }
 
-        context 'when unauthorized' do
-          context 'to public project' do
-            let(:project) { create(:project, :public) }
+      context 'when project is authorized' do
+        before { key.projects << project }
 
-            it { expect(subject).not_to be_allowed }
-          end
+        it { expect(subject).not_to be_allowed }
+      end
 
-          context 'to internal project' do
-            let(:project) { create(:project, :internal) }
+      context 'when unauthorized' do
+        context 'to public project' do
+          let(:project) { create(:project, :public) }
 
-            it { expect(subject).not_to be_allowed }
-          end
+          it { expect(subject).not_to be_allowed }
+        end
 
-          context 'to private project' do
-            let(:project) { create(:project, :internal) }
+        context 'to internal project' do
+          let(:project) { create(:project, :internal) }
 
-            it { expect(subject).not_to be_allowed }
-          end
+          it { expect(subject).not_to be_allowed }
+        end
+
+        context 'to private project' do
+          let(:project) { create(:project, :internal) }
+
+          it { expect(subject).not_to be_allowed }
         end
       end
     end
author	Timothy Andrew <mail@timothyandrew.net>	2016-07-08 11:45:02 +0530
committer	Timothy Andrew <mail@timothyandrew.net>	2016-07-29 15:20:39 +0530
commit	828f6eb6e50e6193fad9dbdd95d9dd56506e4064 (patch)
tree	9a328d1698606d81c0bb7000ed68a4d01891f3f0 /spec/lib/gitlab/git_access_spec.rb
parent	ab6096c17261605d835a4a8edae21f31d90026df (diff)
download	gitlab-ce-828f6eb6e50e6193fad9dbdd95d9dd56506e4064.tar.gz