diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/helpers.rb | 6 | ||||
| -rw-r--r-- | lib/api/issues.rb | 10 | ||||
| -rw-r--r-- | lib/api/users.rb | 2 | ||||
| -rw-r--r-- | lib/api/v3/issues.rb | 7 | ||||
| -rw-r--r-- | lib/banzai/reference_parser/base_parser.rb | 2 | ||||
| -rw-r--r-- | lib/ci/api/runners.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/allowable.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/checks/change_access.rb | 8 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/user_access.rb | 14 |
10 files changed, 28 insertions, 31 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index a9b364da9e1..bd22b82476b 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -97,7 +97,7 @@ module API end def authenticate! - unauthorized! unless current_user + unauthorized! unless current_user && can?(current_user, :access_api) end def authenticate_non_get! @@ -116,7 +116,7 @@ module API forbidden! unless current_user.is_admin? end - def authorize!(action, subject = nil) + def authorize!(action, subject = :global) forbidden! unless can?(current_user, action, subject) end @@ -134,7 +134,7 @@ module API end end - def can?(object, action, subject) + def can?(object, action, subject = :global) Ability.allowed?(object, action, subject) end diff --git a/lib/api/issues.rb b/lib/api/issues.rb index 4a9f2b26fb2..1abe8639445 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -116,8 +116,10 @@ module API requires :title, type: String, desc: 'The title of an issue' optional :created_at, type: DateTime, desc: 'Date time when the issue was created. Available only for admins and project owners.' - optional :merge_request_for_resolving_discussions, type: Integer, + optional :merge_request_to_resolve_discussions_of, type: Integer, desc: 'The IID of a merge request for which to resolve discussions' + optional :discussion_to_resolve, type: String, + desc: 'The ID of a discussion to resolve, also pass `merge_request_to_resolve_discussions_of`' use :issue_params end post ':id/issues' do @@ -128,12 +130,6 @@ module API issue_params = declared_params(include_missing: false) - if merge_request_iid = params[:merge_request_for_resolving_discussions] - issue_params[:merge_request_for_resolving_discussions] = MergeRequestsFinder.new(current_user, project_id: user_project.id). - execute. - find_by(iid: merge_request_iid) - end - issue = ::Issues::CreateService.new(user_project, current_user, issue_params.merge(request: request, api: true)).execute diff --git a/lib/api/users.rb b/lib/api/users.rb index 549003f576a..2d4d5a25221 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -45,7 +45,7 @@ module API use :pagination end get do - unless can?(current_user, :read_users_list, nil) + unless can?(current_user, :read_users_list) render_api_error!("Not authorized.", 403) end diff --git a/lib/api/v3/issues.rb b/lib/api/v3/issues.rb index 5d7dfabfcd6..258cbfed022 100644 --- a/lib/api/v3/issues.rb +++ b/lib/api/v3/issues.rb @@ -139,12 +139,7 @@ module API end issue_params = declared_params(include_missing: false) - - if merge_request_iid = params[:merge_request_for_resolving_discussions] - issue_params[:merge_request_for_resolving_discussions] = MergeRequestsFinder.new(current_user, project_id: user_project.id). - execute. - find_by(iid: merge_request_iid) - end + issue_params = issue_params.merge(merge_request_to_resolve_discussions_of: issue_params.delete(:merge_request_for_resolving_discussions)) issue = ::Issues::CreateService.new(user_project, current_user, diff --git a/lib/banzai/reference_parser/base_parser.rb b/lib/banzai/reference_parser/base_parser.rb index 2058a58d0ae..b121c37c5d0 100644 --- a/lib/banzai/reference_parser/base_parser.rb +++ b/lib/banzai/reference_parser/base_parser.rb @@ -210,7 +210,7 @@ module Banzai grouped_objects_for_nodes(nodes, Project, 'data-project') end - def can?(user, permission, subject) + def can?(user, permission, subject = :global) Ability.allowed?(user, permission, subject) end diff --git a/lib/ci/api/runners.rb b/lib/ci/api/runners.rb index c1fd959ef14..45aa2adccf5 100644 --- a/lib/ci/api/runners.rb +++ b/lib/ci/api/runners.rb @@ -24,13 +24,13 @@ module Ci optional :locked, type: Boolean, desc: 'Lock this runner for this specific project' end post "register" do - runner_params = declared(params, include_missing: false) + runner_params = declared(params, include_missing: false).except(:token) runner = if runner_registration_token_valid? # Create shared runner. Requires admin access Ci::Runner.create(runner_params.merge(is_shared: true)) - elsif project = Project.find_by(runners_token: runner_params[:token]) + elsif project = Project.find_by(runners_token: params[:token]) # Create a specific runner for project. project.runners.create(runner_params) end diff --git a/lib/gitlab/allowable.rb b/lib/gitlab/allowable.rb index f48abcc86d5..e4f7cad2b79 100644 --- a/lib/gitlab/allowable.rb +++ b/lib/gitlab/allowable.rb @@ -1,6 +1,6 @@ module Gitlab module Allowable - def can?(user, action, subject) + def can?(user, action, subject = :global) Ability.allowed?(user, action, subject) end end diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb index 273118135a9..c85f79127bc 100644 --- a/lib/gitlab/checks/change_access.rb +++ b/lib/gitlab/checks/change_access.rb @@ -1,16 +1,20 @@ module Gitlab module Checks class ChangeAccess - attr_reader :user_access, :project, :skip_authorization + # protocol is currently used only in EE + attr_reader :user_access, :project, :skip_authorization, :protocol def initialize( - change, user_access:, project:, env: {}, skip_authorization: false) + change, user_access:, project:, env: {}, skip_authorization: false, + protocol: + ) @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref) @branch_name = Gitlab::Git.branch_name(@ref) @user_access = user_access @project = project @env = env @skip_authorization = skip_authorization + @protocol = protocol end def exec diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index ffb178334bc..eea2f206902 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -153,7 +153,9 @@ module Gitlab user_access: user_access, project: project, env: @env, - skip_authorization: deploy_key?).exec + skip_authorization: deploy_key?, + protocol: protocol + ).exec end def matching_merge_request?(newrev, branch_name) diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb index 6ce9b229294..f260c0c535f 100644 --- a/lib/gitlab/user_access.rb +++ b/lib/gitlab/user_access.rb @@ -8,7 +8,7 @@ module Gitlab end def can_do_action?(action) - return false if no_user_or_blocked? + return false unless can_access_git? @permission_cache ||= {} @permission_cache[action] ||= user.can?(action, project) @@ -19,7 +19,7 @@ module Gitlab end def allowed? - return false if no_user_or_blocked? + return false unless can_access_git? if user.requires_ldap_check? && user.try_obtain_ldap_lease return false unless Gitlab::LDAP::Access.allowed?(user) @@ -29,7 +29,7 @@ module Gitlab end def can_push_to_branch?(ref) - return false if no_user_or_blocked? + return false unless can_access_git? if project.protected_branch?(ref) return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user) @@ -44,7 +44,7 @@ module Gitlab end def can_merge_to_branch?(ref) - return false if no_user_or_blocked? + return false unless can_access_git? if project.protected_branch?(ref) access_levels = project.protected_branches.matching(ref).map(&:merge_access_levels).flatten @@ -55,15 +55,15 @@ module Gitlab end def can_read_project? - return false if no_user_or_blocked? + return false unless can_access_git? user.can?(:read_project, project) end private - def no_user_or_blocked? - user.nil? || user.blocked? + def can_access_git? + user && user.can?(:access_git) end end end |