Authorize user before creating/updating a protected branch.

1. This is a third line of defence (first in the view, second in the controller). 2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The other alternative is to `include API::Helpers`, but this brings with it a number of other methods that might cause conflicts. 3. Return a 403 if authorization fails.

Authorize user before creating/updating a protected branch.
1. This is a third line of defence (first in the view, second in the controller). 2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The other alternative is to `include API::Helpers`, but this brings with it a number of other methods that might cause conflicts. 3. Return a 403 if authorization fails.
6d841eaa · Timothy Andrew · 01d190a8 · 6d841eaa · 6d841eaa · 6d841eaa
Commit 6d841eaa authored Jul 27, 2016 by Timothy Andrew
3 changed files
--- a/app/services/protected_branches/base_service.rb
+++ b/app/services/protected_branches/base_service.rb
 module ProtectedBranches
  class BaseService < ::BaseService
-    include API::Helpers
-
    def initialize(project, current_user, params = {})
      super(project, current_user, params)
      @allowed_to_push = params[:allowed_to_push]
@@ -14,7 +12,7 @@ module ProtectedBranches
      set_push_access_levels!
    end

-    protected
+    private

    def set_merge_access_levels!
      case @allowed_to_merge
@@ -56,5 +54,14 @@ module ProtectedBranches
          'masters'
        end
    end
+
+    protected
+
+    def to_boolean(value)
+      return true if value =~ /^(true|t|yes|y|1|on)$/i
+      return false if value =~ /^(false|f|no|n|0|off)$/i
+
+      nil
+    end
  end
 end
--- a/app/services/protected_branches/create_service.rb
+++ b/app/services/protected_branches/create_service.rb
@@ -3,6 +3,8 @@ module ProtectedBranches
    attr_reader :protected_branch

    def execute
+      raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
+
      ProtectedBranch.transaction do
        @protected_branch = project.protected_branches.new(name: params[:name])
        @protected_branch.save!

--- a/app/services/protected_branches/update_service.rb
+++ b/app/services/protected_branches/update_service.rb
@@ -4,12 +4,13 @@ module ProtectedBranches

    def initialize(project, current_user, id, params = {})
      super(project, current_user, params)
-      @id = id
+      @protected_branch = ProtectedBranch.find(id)
    end

    def execute
+      raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
+
      ProtectedBranch.transaction do
-        @protected_branch = ProtectedBranch.find(@id)
        set_access_levels!
      end