Commit 7ff1c0e3 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'fix-internal-api' into 'master'

Fix internal api

Fixes #1787

See merge request !1280
parents 27077ab2 612b8806
......@@ -33,15 +33,20 @@ module API
end
project = Project.find_with_namespace(project_path)
return false unless project
unless project
return Gitlab::GitAccessStatus.new(false, 'No such project')
end
actor = if params[:key_id]
Key.find(params[:key_id])
Key.find_by(id: params[:key_id])
elsif params[:user_id]
User.find(params[:user_id])
User.find_by(id: params[:user_id])
end
return false unless actor
unless actor
return Gitlab::GitAccessStatus.new(false, 'No such user or key')
end
access.check(
actor,
......
......@@ -8,15 +8,7 @@ module Gitlab
def check(actor, cmd, project, changes = nil)
case cmd
when *DOWNLOAD_COMMANDS
if actor.is_a? User
download_access_check(actor, project)
elsif actor.is_a? DeployKey
actor.projects.include?(project)
elsif actor.is_a? Key
download_access_check(actor.user, project)
else
raise 'Wrong actor'
end
download_access_check(actor, project)
when *PUSH_COMMANDS
if actor.is_a? User
push_access_check(actor, project, changes)
......@@ -32,7 +24,23 @@ module Gitlab
end
end
def download_access_check(user, project)
def download_access_check(actor, project)
if actor.is_a?(User)
user_download_access_check(actor, project)
elsif actor.is_a?(DeployKey)
if actor.projects.include?(project)
build_status_object(true)
else
build_status_object(false, "Deploy key not allowed to access this project")
end
elsif actor.is_a? Key
user_download_access_check(actor.user, project)
else
raise 'Wrong actor'
end
end
def user_download_access_check(user, project)
if user && user_allowed?(user) && user.can?(:download_code, project)
build_status_object(true)
else
......
......@@ -46,6 +46,25 @@ describe Gitlab::GitAccess do
it { subject.allowed?.should be_false }
end
end
describe 'deploy key permissions' do
let(:key) { create(:deploy_key) }
context 'pull code' do
context 'allowed' do
before { key.projects << project }
subject { access.download_access_check(key, project) }
it { subject.allowed?.should be_true }
end
context 'denied' do
subject { access.download_access_check(key, project) }
it { subject.allowed?.should be_false }
end
end
end
end
describe 'push_access_check' do
......
......@@ -26,7 +26,7 @@ describe API::API, api: true do
end
end
describe "GET /internal/allowed" do
describe "POST /internal/allowed" do
context "access granted" do
before do
project.team << [user, :developer]
......@@ -140,7 +140,7 @@ describe API::API, api: true do
archive(key, project)
response.status.should == 200
response.body.should == 'true'
JSON.parse(response.body)["status"].should be_true
end
end
......@@ -149,10 +149,28 @@ describe API::API, api: true do
archive(key, project)
response.status.should == 200
response.body.should == 'false'
JSON.parse(response.body)["status"].should be_false
end
end
end
context 'project does not exist' do
it do
pull(key, OpenStruct.new(path_with_namespace: 'gitlab/notexists'))
response.status.should == 200
JSON.parse(response.body)["status"].should be_false
end
end
context 'user does not exist' do
it do
pull(OpenStruct.new(id: 0), project)
response.status.should == 200
JSON.parse(response.body)["status"].should be_false
end
end
end
def pull(key, project)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment