blob: abb233d3800fd1f31df7d8599b5a9bc9ade76ac7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# frozen_string_literal: true
class ProtectedTag::CreateAccessLevel < ApplicationRecord
include Importable
include ProtectedTagAccess
belongs_to :deploy_key
validates :access_level, uniqueness: { scope: :protected_tag_id, if: :role?,
conditions: -> { where(user_id: nil, group_id: nil, deploy_key_id: nil) } }
validates :deploy_key_id, uniqueness: { scope: :protected_tag_id, allow_nil: true }
validate :validate_deploy_key_membership
def type
if deploy_key.present?
:deploy_key
else
super
end
end
def check_access(user)
return false if access_level == Gitlab::Access::NO_ACCESS
if user && deploy_key.present?
return user.can?(:read_project, project) && enabled_deploy_key_for_user?(deploy_key, user)
end
super
end
private
def validate_deploy_key_membership
return unless deploy_key
return if project.deploy_keys_projects.where(deploy_key: deploy_key).exists?
errors.add(:deploy_key, 'is not enabled for this project')
end
def enabled_deploy_key_for_user?(deploy_key, user)
deploy_key.user_id == user.id &&
DeployKey.with_write_access_for_project(protected_tag.project, deploy_key: deploy_key).any?
end
end
|