Rewrite GitAccess for gitlab-shell v2

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Rewrite GitAccess for gitlab-shell v2
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
0306a4e2 · Dmitriy Zaporozhets · 4102eb3b · 0306a4e2 · 0306a4e2 · 0306a4e2
Commit 0306a4e2 authored Sep 01, 2014 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 13 deletions

GITLAB_SHELL_VERSION GITLAB_SHELL_VERSION +1 -1

lib/api/internal.rb lib/api/internal.rb +1 -4

lib/gitlab/git_access.rb lib/gitlab/git_access.rb +31 -8

No files found.
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
-1.9.7
+2.0.0
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -34,10 +34,7 @@ module API
          actor,
          params[:action],
          project,
-          params[:ref],
-          params[:oldrev],
-          params[:newrev],
-          params[:forced_push]
+          params[:changes]
        )
      end


--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -5,7 +5,7 @@ module Gitlab

    attr_reader :params, :project, :git_cmd, :user

-    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false)
+    def allowed?(actor, cmd, project, changes = nil)
      case cmd
      when *DOWNLOAD_COMMANDS
        if actor.is_a? User
@@ -19,12 +19,12 @@ module Gitlab
        end
      when *PUSH_COMMANDS
        if actor.is_a? User
-          push_allowed?(actor, project, ref, oldrev, newrev, forced_push)
+          push_allowed?(actor, project, changes)
        elsif actor.is_a? DeployKey
          # Deploy key not allowed to push
          return false
        elsif actor.is_a? Key
-          push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push)
+          push_allowed?(actor.user, project, changes)
        else
          raise 'Wrong actor'
        end
@@ -41,13 +41,21 @@ module Gitlab
      end
    end

-    def push_allowed?(user, project, ref, oldrev, newrev, forced_push)
-      if user && user_allowed?(user)
+    def push_allowed?(user, project, changes)
+      return false unless user && user_allowed?(user)
+      return true if changes.blank?
+
+      changes = changes.lines if changes.kind_of?(String)
+
+      # Iterate over all changes to find if user allowed all of them to be applied
+      changes.each do |change|
+        oldrev, newrev, ref = changes.split('')
+
        action = if project.protected_branch?(ref)
                   # we dont allow force push to protected branch
-                   if forced_push.to_s == 'true'
+                   if forced_push?(oldrev, newrev)
                     :force_push_code_to_protected_branches
-                   # and we dont allow remove of protected branch
+                     # and we dont allow remove of protected branch
                   elsif newrev =~ /0000000/
                     :remove_protected_branches
                   else
@@ -59,7 +67,22 @@ module Gitlab
                 else
                   :push_code
                 end
-        user.can?(action, project)
+        unless user.can?(action, project)
+          # If user does not have access to make at least one change - cancel all push
+          return false
+        end
+      end
+
+      # If user has access to make all changes
+      true
+    end
+
+    def forced_push?(oldrev, newrev)
+      return false if project.empty_repo?
+
+      if oldrev !~ /00000000/ && newrev !~ /00000000/
+        missed_refs = IO.popen(%W(git --git-dir=#{project.repository.path_to_repo} rev-list #{oldrev} ^#{newrev})).read
+        missed_refs.split("\n").size > 0
      else
        false
      end