lib/gitlab/checks/tag_check.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# frozen_string_literal: true

module Gitlab
  module Checks
    class TagCheck < BaseChecker
      ERROR_MESSAGES = {
        change_existing_tags: 'You are not allowed to change existing tags on this project.',
        update_protected_tag: 'Protected tags cannot be updated.',
        delete_protected_tag: 'Protected tags cannot be deleted.',
        create_protected_tag: 'You are not allowed to create this tag as it is protected.'
      }.freeze

      LOG_MESSAGES = {
        tag_checks: "Checking if you are allowed to change existing tags...",
        protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag..."
      }.freeze

      def validate!
        return unless tag_name

        logger.log_timed(LOG_MESSAGES[:tag_checks]) do
          if tag_exists? && user_access.cannot_do_action?(:admin_project)
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]
          end
        end

        protected_tag_checks
      end

      private

      def protected_tag_checks
        logger.log_timed(LOG_MESSAGES[__method__]) do
          return unless ProtectedTag.protected?(project, tag_name) # rubocop:disable Cop/AvoidReturnFromBlocks

          raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:update_protected_tag]) if update?
          raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_protected_tag]) if deletion?

          unless user_access.can_create_tag?(tag_name)
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_tag]
          end
        end
      end
    end
  end
end