Fix ProtectedBranch access level validations

Before an access_level was required in EE even when an it had been set for a user/group.

Fix ProtectedBranch access level validations
Before an access_level was required in EE even when an it had been set for a user/group.
bd79d91b · James Edwards-Jones · b0a4675a · bd79d91b · bd79d91b · bd79d91b
Commit bd79d91b authored Nov 24, 2017 by James Edwards-Jones
7 changed files
--- a/app/models/concerns/protected_branch_access.rb
+++ b/app/models/concerns/protected_branch_access.rb
 module ProtectedBranchAccess
  extend ActiveSupport::Concern

-  ALLOWED_ACCESS_LEVELS ||= [
-    Gitlab::Access::MASTER,
-    Gitlab::Access::DEVELOPER,
-    Gitlab::Access::NO_ACCESS
-  ].freeze
-
  included do
    include ProtectedRefAccess
    include EE::ProtectedRefAccess
@@ -15,10 +9,6 @@ module ProtectedBranchAccess

    delegate :project, to: :protected_branch

-    validates :access_level, presence: true, inclusion: {
-      in: ALLOWED_ACCESS_LEVELS
-    }
-
    def self.human_access_levels
      {
        Gitlab::Access::MASTER => "Masters",

--- a/app/models/concerns/protected_ref_access.rb
+++ b/app/models/concerns/protected_ref_access.rb
 module ProtectedRefAccess
  extend ActiveSupport::Concern

+  ALLOWED_ACCESS_LEVELS = [
+    Gitlab::Access::MASTER,
+    Gitlab::Access::DEVELOPER,
+    Gitlab::Access::NO_ACCESS
+  ].freeze
+
  included do
    scope :master, -> { where(access_level: Gitlab::Access::MASTER) }
    scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
+
+    validates :access_level, presence: true, if: :role?, inclusion: {
+      in: ALLOWED_ACCESS_LEVELS
+    }
  end

  def humanize
    self.class.human_access_levels[self.access_level]
  end

+  # CE access levels are always role-based,
+  # where as EE allows groups and users too
+  def role?
+    true
+  end
+
  def check_access(user)
    return true if user.admin?


--- a/app/models/protected_tag/create_access_level.rb
+++ b/app/models/protected_tag/create_access_level.rb
 class ProtectedTag::CreateAccessLevel < ActiveRecord::Base
  include ProtectedTagAccess

-  validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER,
-                                                             Gitlab::Access::DEVELOPER,
-                                                             Gitlab::Access::NO_ACCESS] }
-
  def self.human_access_levels
    {
      Gitlab::Access::MASTER => "Masters",

--- a/doc/api/protected_branches.md
+++ b/doc/api/protected_branches.md
@@ -4,7 +4,7 @@

 **Valid access levels**

-The access levels are defined in the `ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized:
+The access levels are defined in the `ProtectedRefAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized:
 ```
 0  => No access
 30 => Developer access

--- a/ee/app/models/concerns/ee/protected_ref_access.rb
+++ b/ee/app/models/concerns/ee/protected_ref_access.rb
@@ -41,6 +41,8 @@ module EE

    # Is this a role-based access level?
    def role?
+      raise NotImplementedError unless defined?(super)
+
      type == :role
    end


--- a/lib/api/protected_branches.rb
+++ b/lib/api/protected_branches.rb
@@ -40,10 +40,10 @@ module API
      params do
        requires :name, type: String, desc: 'The name of the protected branch'
        optional :push_access_level, type: Integer, default: Gitlab::Access::MASTER,
-                                     values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS,
+                                     values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
                                     desc: 'Access levels allowed to push (defaults: `40`, master access level)'
        optional :merge_access_level, type: Integer, default: Gitlab::Access::MASTER,
-                                      values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS,
+                                      values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
                                      desc: 'Access levels allowed to merge (defaults: `40`, master access level)'
      end
      post ':id/protected_branches' do

--- a/spec/ee/spec/models/ee/protected_ref_access_spec.rb
+++ b/spec/ee/spec/models/ee/protected_ref_access_spec.rb
@@ -7,10 +7,8 @@ describe EE::ProtectedRefAccess do

  included_in_classes.each do |included_in_class|
    context "in #{included_in_class}" do
-      let(:access_level) do
-        factory_name = included_in_class.name.underscore.tr('/', '_')
-        build(factory_name)
-      end
+      let(:factory_name) { included_in_class.name.underscore.tr('/', '_') }
+      let(:access_level) { build(factory_name) }

      it "#{included_in_class} includes {described_class}" do
        expect(included_in_class.included_modules).to include(described_class)
@@ -53,6 +51,24 @@ describe EE::ProtectedRefAccess do
          expect(access_level).to be_valid
        end
      end
+
+      it 'requires access_level if no user or group is specified' do
+        subject = build(factory_name, access_level: nil)
+
+        expect(subject).not_to be_valid
+      end
+
+      it "doesn't require access_level if user specified" do
+        subject = build(factory_name, access_level: nil, user: create(:user))
+
+        expect(subject).to be_valid
+      end
+
+      it "doesn't require access_level if group specified" do
+        subject = build(factory_name, access_level: nil, group: create(:group))
+
+        expect(subject).to be_valid
+      end
    end
  end
 end