Commit bd79d91b authored by James Edwards-Jones's avatar James Edwards-Jones

Fix ProtectedBranch access level validations

Before an access_level was required in EE even when an
it had been set for a user/group.
parent b0a4675a
module ProtectedBranchAccess module ProtectedBranchAccess
extend ActiveSupport::Concern extend ActiveSupport::Concern
ALLOWED_ACCESS_LEVELS ||= [
Gitlab::Access::MASTER,
Gitlab::Access::DEVELOPER,
Gitlab::Access::NO_ACCESS
].freeze
included do included do
include ProtectedRefAccess include ProtectedRefAccess
include EE::ProtectedRefAccess include EE::ProtectedRefAccess
...@@ -15,10 +9,6 @@ module ProtectedBranchAccess ...@@ -15,10 +9,6 @@ module ProtectedBranchAccess
delegate :project, to: :protected_branch delegate :project, to: :protected_branch
validates :access_level, presence: true, inclusion: {
in: ALLOWED_ACCESS_LEVELS
}
def self.human_access_levels def self.human_access_levels
{ {
Gitlab::Access::MASTER => "Masters", Gitlab::Access::MASTER => "Masters",
......
module ProtectedRefAccess module ProtectedRefAccess
extend ActiveSupport::Concern extend ActiveSupport::Concern
ALLOWED_ACCESS_LEVELS = [
Gitlab::Access::MASTER,
Gitlab::Access::DEVELOPER,
Gitlab::Access::NO_ACCESS
].freeze
included do included do
scope :master, -> { where(access_level: Gitlab::Access::MASTER) } scope :master, -> { where(access_level: Gitlab::Access::MASTER) }
scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) } scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
validates :access_level, presence: true, if: :role?, inclusion: {
in: ALLOWED_ACCESS_LEVELS
}
end end
def humanize def humanize
self.class.human_access_levels[self.access_level] self.class.human_access_levels[self.access_level]
end end
# CE access levels are always role-based,
# where as EE allows groups and users too
def role?
true
end
def check_access(user) def check_access(user)
return true if user.admin? return true if user.admin?
......
class ProtectedTag::CreateAccessLevel < ActiveRecord::Base class ProtectedTag::CreateAccessLevel < ActiveRecord::Base
include ProtectedTagAccess include ProtectedTagAccess
validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER,
Gitlab::Access::DEVELOPER,
Gitlab::Access::NO_ACCESS] }
def self.human_access_levels def self.human_access_levels
{ {
Gitlab::Access::MASTER => "Masters", Gitlab::Access::MASTER => "Masters",
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
**Valid access levels** **Valid access levels**
The access levels are defined in the `ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized: The access levels are defined in the `ProtectedRefAccess::ALLOWED_ACCESS_LEVELS` constant. Currently, these levels are recognized:
``` ```
0 => No access 0 => No access
30 => Developer access 30 => Developer access
......
...@@ -41,6 +41,8 @@ module EE ...@@ -41,6 +41,8 @@ module EE
# Is this a role-based access level? # Is this a role-based access level?
def role? def role?
raise NotImplementedError unless defined?(super)
type == :role type == :role
end end
......
...@@ -40,10 +40,10 @@ module API ...@@ -40,10 +40,10 @@ module API
params do params do
requires :name, type: String, desc: 'The name of the protected branch' requires :name, type: String, desc: 'The name of the protected branch'
optional :push_access_level, type: Integer, default: Gitlab::Access::MASTER, optional :push_access_level, type: Integer, default: Gitlab::Access::MASTER,
values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS, values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
desc: 'Access levels allowed to push (defaults: `40`, master access level)' desc: 'Access levels allowed to push (defaults: `40`, master access level)'
optional :merge_access_level, type: Integer, default: Gitlab::Access::MASTER, optional :merge_access_level, type: Integer, default: Gitlab::Access::MASTER,
values: ProtectedBranchAccess::ALLOWED_ACCESS_LEVELS, values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
desc: 'Access levels allowed to merge (defaults: `40`, master access level)' desc: 'Access levels allowed to merge (defaults: `40`, master access level)'
end end
post ':id/protected_branches' do post ':id/protected_branches' do
......
...@@ -7,10 +7,8 @@ describe EE::ProtectedRefAccess do ...@@ -7,10 +7,8 @@ describe EE::ProtectedRefAccess do
included_in_classes.each do |included_in_class| included_in_classes.each do |included_in_class|
context "in #{included_in_class}" do context "in #{included_in_class}" do
let(:access_level) do let(:factory_name) { included_in_class.name.underscore.tr('/', '_') }
factory_name = included_in_class.name.underscore.tr('/', '_') let(:access_level) { build(factory_name) }
build(factory_name)
end
it "#{included_in_class} includes {described_class}" do it "#{included_in_class} includes {described_class}" do
expect(included_in_class.included_modules).to include(described_class) expect(included_in_class.included_modules).to include(described_class)
...@@ -53,6 +51,24 @@ describe EE::ProtectedRefAccess do ...@@ -53,6 +51,24 @@ describe EE::ProtectedRefAccess do
expect(access_level).to be_valid expect(access_level).to be_valid
end end
end end
it 'requires access_level if no user or group is specified' do
subject = build(factory_name, access_level: nil)
expect(subject).not_to be_valid
end
it "doesn't require access_level if user specified" do
subject = build(factory_name, access_level: nil, user: create(:user))
expect(subject).to be_valid
end
it "doesn't require access_level if group specified" do
subject = build(factory_name, access_level: nil, group: create(:group))
expect(subject).to be_valid
end
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment