diff options
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/internal.rb | 60 | 
1 files changed, 19 insertions, 41 deletions
| diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 69aad3748b3..bcf97574673 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -1,16 +1,12 @@  module API    # Internal access API    class Internal < Grape::API - -    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive } -    PUSH_COMMANDS = %w{ git-receive-pack } -      namespace 'internal' do -      # -      # Check if ssh key has access to project code +      # Check if git command is allowed to project        #        # Params: -      #   key_id - SSH Key id +      #   key_id - ssh key id for Git over SSH +      #   user_id - user id for Git over HTTP        #   project - project path with namespace        #   action - git action (git-upload-pack or git-receive-pack)        #   ref - branch name @@ -22,43 +18,25 @@ module API          # the wiki repository as well.          project_path = params[:project]          project_path.gsub!(/\.wiki/,'') if project_path =~ /\.wiki/ - -        key = Key.find(params[:key_id])          project = Project.find_with_namespace(project_path) -        git_cmd = params[:action]          return false unless project - -        if key.is_a? DeployKey -          key.projects.include?(project) && DOWNLOAD_COMMANDS.include?(git_cmd) -        else -          user = key.user - -          return false if user.blocked? - -          if Gitlab.config.ldap.enabled -            if user.ldap_user? -              # Check if LDAP user exists and match LDAP user_filter -              unless Gitlab::LDAP::Access.new.allowed?(user) -                return false -              end -            end -          end - -          action = case git_cmd -                   when *DOWNLOAD_COMMANDS -                     then :download_code -                   when *PUSH_COMMANDS -                     then -                     if project.protected_branch?(params[:ref]) -                       :push_code_to_protected_branches -                     else -                       :push_code -                     end -                   end - -          user.can?(action, project) -        end +        actor = if params[:key_id] +                  Key.find(params[:key_id]) +                elsif params[:user_id] +                  User.find(params[:user_id]) +                end + +        return false unless actor + +        Gitlab::GitAccess.new.allowed?( +          actor, +          params[:action], +          project, +          params[:ref], +          params[:oldrev], +          params[:newrev] +        )        end        # | 
