Skip change access check for deploy keys

551e84c2 · Douwe Maan · bc7a1aff · 551e84c2 · 551e84c2
Commit 551e84c2 authored Dec 20, 2018 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 5 deletions

lib/gitlab/checks/change_access.rb lib/gitlab/checks/change_access.rb +1 -4

lib/gitlab/git_access.rb lib/gitlab/git_access.rb +3 -1

No files found.
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -10,7 +10,7 @@ module Gitlab
      attr_reader(*ATTRIBUTES)

      def initialize(
-        change, user_access:, project:, skip_authorization: false,
+        change, user_access:, project:,
        skip_lfs_integrity_check: false, protocol:, logger:
      )
        @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
@@ -18,7 +18,6 @@ module Gitlab
        @tag_name = Gitlab::Git.tag_name(@ref)
        @user_access = user_access
        @project = project
-        @skip_authorization = skip_authorization
        @skip_lfs_integrity_check = skip_lfs_integrity_check
        @protocol = protocol

@@ -27,8 +26,6 @@ module Gitlab
      end

      def exec
-        return true if skip_authorization
-
        ref_level_checks
        # Check of commits should happen as the last step
        # given they're expensive in terms of performance

--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -266,6 +266,9 @@ module Gitlab
    end

    def check_change_access!
+      # Deploy keys with write access can push anything
+      return if deploy_key?
+
      # If there are worktrees with a HEAD pointing to a non-existent object,
      # calls to `git rev-list --all` will fail in git 2.15+. This should also
      # clear stale lock files.
@@ -286,7 +289,6 @@ module Gitlab
        change,
        user_access: user_access,
        project: project,
-        skip_authorization: deploy_key?,
        skip_lfs_integrity_check: skip_lfs_integrity_check,
        protocol: protocol,
        logger: logger