Merge branch 'tags-protection' into 'master'

Git tags protection

Only masters can remove or modify git tags.

Fixes #1223

CHANGELOG

@@ -12,6 +12,7 @@ v 7.0.0
   - Make it easier to implement other CI services for GitLab
   - Group masters can create projects in group
   - Deprecate ruby 1.9.3 support
+  - Only masters can rewrite/remove git tags
 
 v 6.9.2
   - Revert the commit that broke the LDAP user filter

app/views/projects/tags/_tag.html.haml

@@ -17,6 +17,6 @@
       - if can? current_user, :download_code, @project
         = render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small'
       - if can?(current_user, :admin_project, @project)
-        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
+        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small btn-remove remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
           %i.icon-trash
 

doc/permissions/permissions.md

@@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions.
 |Add new team members| |||✓|✓|
 |Push to protected branches| |||✓|✓|
 |Enable/Disable branch protection| |||✓|✓|
+|Rewrite/remove git tags| |||✓|✓|
 |Edit project| |||✓|✓|
 |Add Deploy Keys to project| |||✓|✓|
 |Configure Project Hooks| |||✓|✓|

lib/gitlab/git_access.rb

@@ -53,6 +53,9 @@ module Gitlab
                    else
                      :push_code_to_protected_branches
                    end
+                 elsif project.repository && project.repository.tag_names.include?(ref)
+                   # Prevent any changes to existing git tag unless user has permissions
+                   :admin_project
                  else
                    :push_code
                  end