Check for restricted projects on a node before processing hooks

e67b3ce8 · Douglas Barbosa Alexandre · 389dce86 · e67b3ce8
Commit e67b3ce8 authored Aug 09, 2017 by Douglas Barbosa Alexandre
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

lib/api/geo.rb lib/api/geo.rb +11 -0

No files found.
--- a/lib/api/geo.rb
+++ b/lib/api/geo.rb
@@ -58,6 +58,8 @@ module API
      post 'receive_events' do
        authenticate_by_gitlab_geo_token!
        require_node_to_be_enabled!
+        check_node_restricted_project_ids!
+
        required_attributes! %w(event_name)

        case params['event_name']
@@ -109,6 +111,15 @@ module API
      def require_node_to_be_secondary!
        forbidden! 'Geo node is not secondary node.' unless Gitlab::Geo.current_node&.secondary?
      end
+
+      def check_node_restricted_project_ids!
+        return unless params.key?(:project_id)
+        return if Gitlab::Geo.current_node&.restricted_project_ids.nil?
+
+        unless Gitlab::Geo.current_node.restricted_project_ids.include?(params[:project_id])
+          not_found!
+        end
+      end
    end
  end
 end