Commit 4b868ba8 authored by Francisco Javier López's avatar Francisco Javier López Committed by Yorick Peterse

[master] Check access rights when creating/updating ProtectedRefs

parent c653921b
...@@ -6,8 +6,6 @@ module ProtectedBranches ...@@ -6,8 +6,6 @@ module ProtectedBranches
@push_params = AccessLevelParams.new(:push, params) @push_params = AccessLevelParams.new(:push, params)
@merge_params = AccessLevelParams.new(:merge, params) @merge_params = AccessLevelParams.new(:merge, params)
verify_params!
protected_branch_params = { protected_branch_params = {
name: params[:name], name: params[:name],
push_access_levels_attributes: @push_params.access_levels, push_access_levels_attributes: @push_params.access_levels,
...@@ -16,11 +14,5 @@ module ProtectedBranches ...@@ -16,11 +14,5 @@ module ProtectedBranches
::ProtectedBranches::CreateService.new(@project, @current_user, protected_branch_params).execute ::ProtectedBranches::CreateService.new(@project, @current_user, protected_branch_params).execute
end end
private
def verify_params!
# EE-only
end
end end
end end
...@@ -776,10 +776,13 @@ describe Gitlab::GitAccess do ...@@ -776,10 +776,13 @@ describe Gitlab::GitAccess do
it "has the correct permissions for #{role}s" do it "has the correct permissions for #{role}s" do
if role == :admin if role == :admin
user.update_attribute(:admin, true) user.update_attribute(:admin, true)
project.add_guest(user)
else else
project.add_role(user, role) project.add_role(user, role)
end end
protected_branch.save
aggregate_failures do aggregate_failures do
matrix.each do |action, allowed| matrix.each do |action, allowed|
check = -> { push_changes(changes[action]) } check = -> { push_changes(changes[action]) }
...@@ -861,25 +864,19 @@ describe Gitlab::GitAccess do ...@@ -861,25 +864,19 @@ describe Gitlab::GitAccess do
[%w(feature exact), ['feat*', 'wildcard']].each do |protected_branch_name, protected_branch_type| [%w(feature exact), ['feat*', 'wildcard']].each do |protected_branch_name, protected_branch_type|
context do context do
before do let(:protected_branch) { create(:protected_branch, :maintainers_can_push, name: protected_branch_name, project: project) }
create(:protected_branch, name: protected_branch_name, project: project)
end
run_permission_checks(permissions_matrix) run_permission_checks(permissions_matrix)
end end
context "when developers are allowed to push into the #{protected_branch_type} protected branch" do context "when developers are allowed to push into the #{protected_branch_type} protected branch" do
before do let(:protected_branch) { create(:protected_branch, :developers_can_push, name: protected_branch_name, project: project) }
create(:protected_branch, :developers_can_push, name: protected_branch_name, project: project)
end
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true })) run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
end end
context "developers are allowed to merge into the #{protected_branch_type} protected branch" do context "developers are allowed to merge into the #{protected_branch_type} protected branch" do
before do let(:protected_branch) { create(:protected_branch, :developers_can_merge, name: protected_branch_name, project: project) }
create(:protected_branch, :developers_can_merge, name: protected_branch_name, project: project)
end
context "when a merge request exists for the given source/target branch" do context "when a merge request exists for the given source/target branch" do
context "when the merge request is in progress" do context "when the merge request is in progress" do
...@@ -906,17 +903,13 @@ describe Gitlab::GitAccess do ...@@ -906,17 +903,13 @@ describe Gitlab::GitAccess do
end end
context "when developers are allowed to push and merge into the #{protected_branch_type} protected branch" do context "when developers are allowed to push and merge into the #{protected_branch_type} protected branch" do
before do let(:protected_branch) { create(:protected_branch, :developers_can_merge, :developers_can_push, name: protected_branch_name, project: project) }
create(:protected_branch, :developers_can_merge, :developers_can_push, name: protected_branch_name, project: project)
end
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true })) run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true }))
end end
context "when no one is allowed to push to the #{protected_branch_name} protected branch" do context "when no one is allowed to push to the #{protected_branch_name} protected branch" do
before do let(:protected_branch) { build(:protected_branch, :no_one_can_push, name: protected_branch_name, project: project) }
create(:protected_branch, :no_one_can_push, name: protected_branch_name, project: project)
end
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }, run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }, maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment