Fix ProtectedBranch access level validations

Before an access_level was required in EE even when an it had been set for a user/group.

Fix ProtectedBranch access level validations
Before an access_level was required in EE even when an it had been set for a user/group.
d6dd9d71 · James Edwards-Jones · e548c613 · d6dd9d71 · d6dd9d71 · d6dd9d71
Commit d6dd9d71 authored Nov 24, 2017 by James Edwards-Jones
5 changed files
--- a/app/models/concerns/protected_branch_access.rb
+++ b/app/models/concerns/protected_branch_access.rb
 module ProtectedBranchAccess
  extend ActiveSupport::Concern

-  ALLOWED_ACCESS_LEVELS ||= [
-    Gitlab::Access::MASTER,
-    Gitlab::Access::DEVELOPER,
-    Gitlab::Access::NO_ACCESS
-  ].freeze
-
  included do
    include ProtectedRefAccess

@@ -14,10 +8,6 @@ module ProtectedBranchAccess

    delegate :project, to: :protected_branch

-    validates :access_level, presence: true, inclusion: {
-      in: ALLOWED_ACCESS_LEVELS
-    }
-
    def self.human_access_levels
      {
        Gitlab::Access::MASTER => "Masters",

--- a/app/models/concerns/protected_ref_access.rb
+++ b/app/models/concerns/protected_ref_access.rb
 module ProtectedRefAccess
  extend ActiveSupport::Concern

+  ALLOWED_ACCESS_LEVELS = [
+    Gitlab::Access::MASTER,
+    Gitlab::Access::DEVELOPER,
+    Gitlab::Access::NO_ACCESS
+  ].freeze
+
  included do
    scope :master, -> { where(access_level: Gitlab::Access::MASTER) }
    scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
+
+    validates :access_level, presence: true, if: :role?, inclusion: {
+      in: ALLOWED_ACCESS_LEVELS
+    }
  end

  def humanize
    self.class.human_access_levels[self.access_level]
  end

+  # CE access levels are always role-based,
+  # where as EE allows groups and users too
+  def role?
+    true
+  end
+
  def check_access(user)
    return true if user.admin?


--- a/app/models/protected_tag/create_access_level.rb
+++ b/app/models/protected_tag/create_access_level.rb
 class ProtectedTag::CreateAccessLevel < ActiveRecord::Base
  include ProtectedTagAccess

-  validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER,
-                                                             Gitlab::Access::DEVELOPER,
-                                                             Gitlab::Access::NO_ACCESS] }
-
  def self.human_access_levels
    {
      Gitlab::Access::MASTER => "Masters",

--- a/doc/api/protected_branches.md
+++ b/doc/api/protected_branches.md
@@ -4,7 +4,7 @@

 **Valid access levels**

-The access levels are defined in the `ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized:
+The access levels are defined in the `ProtectedRefAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized:
 ```
 0  => No access
 30 => Developer access

--- a/lib/api/protected_branches.rb
+++ b/lib/api/protected_branches.rb
@@ -40,10 +40,10 @@ module API
      params do
        requires :name, type: String, desc: 'The name of the protected branch'
        optional :push_access_level, type: Integer, default: Gitlab::Access::MASTER,
-                                     values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS,
+                                     values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
                                     desc: 'Access levels allowed to push (defaults: `40`, master access level)'
        optional :merge_access_level, type: Integer, default: Gitlab::Access::MASTER,
-                                      values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS,
+                                      values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
                                      desc: 'Access levels allowed to merge (defaults: `40`, master access level)'
      end
      post ':id/protected_branches' do