Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
96ff802a
Commit
96ff802a
authored
Mar 13, 2017
by
Adam Niedzielski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Skip "deny_delete_tag" push rule when deleting from web UI
parent
f2f5cb67
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
45 additions
and
9 deletions
+45
-9
lib/gitlab/checks/change_access.rb
lib/gitlab/checks/change_access.rb
+15
-4
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+3
-1
spec/lib/gitlab/checks/change_access_spec.rb
spec/lib/gitlab/checks/change_access_spec.rb
+27
-4
No files found.
lib/gitlab/checks/change_access.rb
View file @
96ff802a
...
@@ -3,16 +3,20 @@ module Gitlab
...
@@ -3,16 +3,20 @@ module Gitlab
class
ChangeAccess
class
ChangeAccess
include
PathLocksHelper
include
PathLocksHelper
attr_reader
:user_access
,
:project
,
:skip_authorization
# protocol is currently used only in EE
attr_reader
:user_access
,
:project
,
:skip_authorization
,
:protocol
def
initialize
(
def
initialize
(
change
,
user_access
:,
project
:,
env:
{},
skip_authorization:
false
)
change
,
user_access
:,
project
:,
env:
{},
skip_authorization:
false
,
protocol:
)
@oldrev
,
@newrev
,
@ref
=
change
.
values_at
(
:oldrev
,
:newrev
,
:ref
)
@oldrev
,
@newrev
,
@ref
=
change
.
values_at
(
:oldrev
,
:newrev
,
:ref
)
@branch_name
=
Gitlab
::
Git
.
branch_name
(
@ref
)
@branch_name
=
Gitlab
::
Git
.
branch_name
(
@ref
)
@user_access
=
user_access
@user_access
=
user_access
@project
=
project
@project
=
project
@env
=
env
@env
=
env
@skip_authorization
=
skip_authorization
@skip_authorization
=
skip_authorization
@protocol
=
protocol
end
end
def
exec
def
exec
...
@@ -92,8 +96,8 @@ module Gitlab
...
@@ -92,8 +96,8 @@ module Gitlab
# Prevent tag removal
# Prevent tag removal
if
Gitlab
::
Git
.
tag_name
(
@ref
)
if
Gitlab
::
Git
.
tag_name
(
@ref
)
if
push_rule
.
try
(
:deny_delete_tag
)
&&
protected_tag?
(
Gitlab
::
Git
.
tag_name
(
@ref
))
&&
Gitlab
::
Git
.
blank_ref?
(
@newrev
)
if
tag_deletion_denied_by_push_rule?
(
push_rule
)
return
"You can not delete a tag"
return
'You cannot delete a tag'
end
end
else
else
commit_validation
=
push_rule
.
try
(
:commit_validation?
)
commit_validation
=
push_rule
.
try
(
:commit_validation?
)
...
@@ -116,6 +120,13 @@ module Gitlab
...
@@ -116,6 +120,13 @@ module Gitlab
nil
nil
end
end
def
tag_deletion_denied_by_push_rule?
(
push_rule
)
push_rule
.
try
(
:deny_delete_tag
)
&&
protocol
!=
'web'
&&
Gitlab
::
Git
.
blank_ref?
(
@newrev
)
&&
protected_tag?
(
Gitlab
::
Git
.
tag_name
(
@ref
))
end
# If commit does not pass push rule validation the whole push should be rejected.
# If commit does not pass push rule validation the whole push should be rejected.
# This method should return nil if no error found or status object if there are some errors.
# This method should return nil if no error found or status object if there are some errors.
# In case of errors - all other checks will be canceled and push will be rejected.
# In case of errors - all other checks will be canceled and push will be rejected.
...
...
lib/gitlab/git_access.rb
View file @
96ff802a
...
@@ -192,7 +192,9 @@ module Gitlab
...
@@ -192,7 +192,9 @@ module Gitlab
user_access:
user_access
,
user_access:
user_access
,
project:
project
,
project:
project
,
env:
@env
,
env:
@env
,
skip_authorization:
deploy_key?
).
exec
skip_authorization:
deploy_key?
,
protocol:
protocol
).
exec
end
end
def
deploy_key
def
deploy_key
...
...
spec/lib/gitlab/checks/change_access_spec.rb
View file @
96ff802a
...
@@ -12,8 +12,16 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
...
@@ -12,8 +12,16 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
ref:
'refs/heads/master'
ref:
'refs/heads/master'
}
}
end
end
let
(
:protocol
)
{
'ssh'
}
subject
{
described_class
.
new
(
changes
,
project:
project
,
user_access:
user_access
).
exec
}
subject
do
described_class
.
new
(
changes
,
project:
project
,
user_access:
user_access
,
protocol:
protocol
).
exec
end
before
{
allow
(
user_access
).
to
receive
(
:can_do_action?
).
with
(
:push_code
).
and_return
(
true
)
}
before
{
allow
(
user_access
).
to
receive
(
:can_do_action?
).
with
(
:push_code
).
and_return
(
true
)
}
...
@@ -116,7 +124,15 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
...
@@ -116,7 +124,15 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
it
'returns an error if the rule denies tag deletion'
do
it
'returns an error if the rule denies tag deletion'
do
expect
(
subject
.
status
).
to
be
(
false
)
expect
(
subject
.
status
).
to
be
(
false
)
expect
(
subject
.
message
).
to
eq
(
'You can not delete a tag'
)
expect
(
subject
.
message
).
to
eq
(
'You cannot delete a tag'
)
end
context
'when tag is deleted in web UI'
do
let
(
:protocol
)
{
'web'
}
it
'ignores the push rule'
do
expect
(
subject
.
status
).
to
be
(
true
)
end
end
end
end
end
...
@@ -179,7 +195,14 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
...
@@ -179,7 +195,14 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
context
'blacklisted files check'
do
context
'blacklisted files check'
do
let
(
:push_rule
)
{
create
(
:push_rule
,
prevent_secrets:
true
)
}
let
(
:push_rule
)
{
create
(
:push_rule
,
prevent_secrets:
true
)
}
let
(
:checker
)
{
described_class
.
new
(
changes
,
project:
project
,
user_access:
user_access
)
}
let
(
:checker
)
do
described_class
.
new
(
changes
,
project:
project
,
user_access:
user_access
,
protocol:
protocol
)
end
it
"returns status true if there is no blacklisted files"
do
it
"returns status true if there is no blacklisted files"
do
new_rev
=
nil
new_rev
=
nil
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment