From 48aff82709769b098321c738f3444b9bdaa694c6 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 21 Oct 2020 07:08:36 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-5-stable-ee --- .../resource_access_tokens/create_service.rb | 18 ++------------- .../resource_access_tokens/revoke_service.rb | 27 ++++++++++++---------- 2 files changed, 17 insertions(+), 28 deletions(-) (limited to 'app/services/resource_access_tokens') diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb index c253154c1b7..cdeb57627a8 100644 --- a/app/services/resource_access_tokens/create_service.rb +++ b/app/services/resource_access_tokens/create_service.rb @@ -10,7 +10,6 @@ module ResourceAccessTokens end def execute - return unless feature_enabled? return error("User does not have permission to create #{resource_type} Access Token") unless has_permission_to_create? user = create_user @@ -31,21 +30,8 @@ module ResourceAccessTokens attr_reader :resource_type, :resource - def feature_enabled? - return false if ::Gitlab.com? - - ::Feature.enabled?(:resource_access_token, resource, default_enabled: true) - end - def has_permission_to_create? - case resource_type - when 'project' - can?(current_user, :admin_project, resource) - when 'group' - can?(current_user, :admin_group, resource) - else - false - end + %w(project group).include?(resource_type) && can?(current_user, :admin_resource_access_tokens, resource) end def create_user @@ -103,7 +89,7 @@ module ResourceAccessTokens end def provision_access(resource, user) - resource.add_maintainer(user) + resource.add_user(user, :maintainer, expires_at: params[:expires_at]) end def error(message) diff --git a/app/services/resource_access_tokens/revoke_service.rb b/app/services/resource_access_tokens/revoke_service.rb index efeb0bfb8d5..ece928dac31 100644 --- a/app/services/resource_access_tokens/revoke_service.rb +++ b/app/services/resource_access_tokens/revoke_service.rb @@ -14,18 +14,15 @@ module ResourceAccessTokens end def execute + return error("#{current_user.name} cannot delete #{bot_user.name}") unless can_destroy_bot_member? return error("Failed to find bot user") unless find_member - PersonalAccessToken.transaction do - access_token.revoke! + access_token.revoke! - raise RevokeAccessTokenError, "Failed to remove #{bot_user.name} member from: #{resource.name}" unless remove_member + destroy_bot_user - raise RevokeAccessTokenError, "Migration to ghost user failed" unless migrate_to_ghost_user - end - - success("Revoked access token: #{access_token.name}") - rescue ActiveRecord::ActiveRecordError, RevokeAccessTokenError => error + success("Access token #{access_token.name} has been revoked and the bot user has been scheduled for deletion.") + rescue StandardError => error log_error("Failed to revoke access token for #{bot_user.name}: #{error.message}") error(error.message) end @@ -34,12 +31,18 @@ module ResourceAccessTokens attr_reader :current_user, :access_token, :bot_user, :resource - def remove_member - ::Members::DestroyService.new(current_user).execute(find_member, destroy_bot: true) + def destroy_bot_user + DeleteUserWorker.perform_async(current_user.id, bot_user.id, skip_authorization: true) end - def migrate_to_ghost_user - ::Users::MigrateToGhostUserService.new(bot_user).execute + def can_destroy_bot_member? + if resource.is_a?(Project) + can?(current_user, :admin_project_member, @resource) + elsif resource.is_a?(Group) + can?(current_user, :admin_group_member, @resource) + else + false + end end def find_member -- cgit v1.2.1