Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
05cc8705
Commit
05cc8705
authored
Nov 11, 2016
by
Lin Jen-Shin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improve write access check for deploy key
parent
5b5722e9
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
36 additions
and
45 deletions
+36
-45
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+36
-45
No files found.
lib/gitlab/git_access.rb
View file @
05cc8705
...
...
@@ -7,7 +7,7 @@ module Gitlab
ERROR_MESSAGES
=
{
upload:
'You are not allowed to upload code for this project.'
,
download:
'You are not allowed to download code from this project.'
,
deploy_key:
'
Deploy keys are not allowed to push code
.'
,
deploy_key:
'
This deploy key does not have write access to this project
.'
,
no_repo:
'A repository for this project does not exist yet.'
}
...
...
@@ -46,22 +46,18 @@ module Gitlab
def
download_access_check
if
user
user_download_access_check
elsif
deploy_key
.
nil?
&&
!
Guest
.
can?
(
:download_code
,
project
)
elsif
!
Guest
.
can?
(
:download_code
,
project
)
raise
UnauthorizedError
,
ERROR_MESSAGES
[
:download
]
end
end
def
push_access_check
(
changes
)
unless
project
.
repository
.
exists?
return
build_status_object
(
false
,
"A repository for this project does not exist yet."
)
end
if
user
user_push_access_check
(
changes
)
elsif
deploy_key
if
deploy_key
deploy_key_push_access_check
(
changes
)
elsif
user
user_push_access_check
(
changes
)
else
raise
UnauthorizedError
,
ERROR_MESSAGES
[
deploy_key
?
:deploy_key
:
:upload
]
raise
UnauthorizedError
,
ERROR_MESSAGES
[
:upload
]
end
end
...
...
@@ -88,34 +84,19 @@ module Gitlab
return
# Allow access.
end
unless
project
.
repository
.
exists?
raise
UnauthorizedError
,
ERROR_MESSAGES
[
:no_repo
]
end
changes_list
=
Gitlab
::
ChangesList
.
new
(
changes
)
# Iterate over all changes to find if user allowed all of them to be applied
changes_list
.
each
do
|
change
|
status
=
change_access_check
(
change
)
unless
status
.
allowed?
# If user does not have access to make at least one change - cancel all push
raise
UnauthorizedError
,
status
.
message
end
end
check_repository_existence!
check_change_access!
(
changes
)
end
def
deploy_key_push_access_check
(
changes
)
if
actor
.
can_push?
build_status_object
(
true
)
if
deploy_key
.
can_push?
check_repository_existence!
check_change_access!
(
changes
)
else
build_status_object
(
false
,
"The deploy key does not have write access to the project."
)
raise
UnauthorizedError
,
ERROR_MESSAGES
[
:deploy_key
]
end
end
def
change_access_check
(
change
)
Checks
::
ChangeAccess
.
new
(
change
,
user_access:
user_access
,
project:
project
).
exec
end
def
protocol_allowed?
Gitlab
::
ProtocolAccess
.
allowed?
(
protocol
)
end
...
...
@@ -146,6 +127,27 @@ module Gitlab
end
end
def
check_repository_existence!
unless
project
.
repository
.
exists?
raise
UnauthorizedError
,
ERROR_MESSAGES
[
:no_repo
]
end
end
def
check_change_access!
(
changes
)
changes_list
=
Gitlab
::
ChangesList
.
new
(
changes
)
# Iterate over all changes to find if user allowed all of them to be applied
changes_list
.
each
do
|
change
|
status
=
Checks
::
ChangeAccess
.
new
(
change
,
user_access:
user_access
,
project:
project
).
exec
unless
status
.
allowed?
# If user does not have access to make at least one change - cancel all push
raise
UnauthorizedError
,
status
.
message
end
end
end
def
matching_merge_request?
(
newrev
,
branch_name
)
Checks
::
MatchingMergeRequest
.
new
(
newrev
,
branch_name
,
project
).
match?
end
...
...
@@ -154,20 +156,11 @@ module Gitlab
actor
if
actor
.
is_a?
(
DeployKey
)
end
def
deploy_key_can_read_project?
if
deploy_key
return
true
if
project
.
public?
deploy_key
.
projects
.
include?
(
project
)
else
false
end
end
def
can_read_project?
if
user
if
deploy_key
project
.
public?
||
deploy_key
.
projects
.
include?
(
project
)
elsif
user
user_access
.
can_read_project?
elsif
deploy_key
deploy_key_can_read_project?
else
Guest
.
can?
(
:read_project
,
project
)
end
...
...
@@ -182,8 +175,6 @@ module Gitlab
case
actor
when
User
actor
when
DeployKey
nil
when
Key
actor
.
user
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment