diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-12-01 16:25:10 +0200 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-12-01 16:25:10 +0200 |
| commit | 06b7907c2afe0cb0fa25f4cdef0ff470710de2f9 (patch) | |
| tree | 18a11195038b46f15671eee254e88664fb5a36d6 | |
| parent | 30e28a7e0c458395b7a205e72a89e7d1b68571eb (diff) | |
| download | gitlab-ce-06b7907c2afe0cb0fa25f4cdef0ff470710de2f9.tar.gz | |
Fix deploy keys permission check in internal api
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
| -rw-r--r-- | lib/gitlab/git_access.rb | 28 | ||||
| -rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 19 |
2 files changed, 37 insertions, 10 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 3452240dad8..5f8cb19efdf 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -8,15 +8,7 @@ module Gitlab def check(actor, cmd, project, changes = nil) case cmd when *DOWNLOAD_COMMANDS - if actor.is_a? User - download_access_check(actor, project) - elsif actor.is_a? DeployKey - actor.projects.include?(project) - elsif actor.is_a? Key - download_access_check(actor.user, project) - else - raise 'Wrong actor' - end + download_access_check(actor, project) when *PUSH_COMMANDS if actor.is_a? User push_access_check(actor, project, changes) @@ -32,7 +24,23 @@ module Gitlab end end - def download_access_check(user, project) + def download_access_check(actor, project) + if actor.is_a?(User) + user_download_access_check(actor, project) + elsif actor.is_a?(DeployKey) + if actor.projects.include?(project) + build_status_object(true) + else + build_status_object(false, "Deploy key not allowed to access this project") + end + elsif actor.is_a? Key + user_download_access_check(actor.user, project) + else + raise 'Wrong actor' + end + end + + def user_download_access_check(user, project) if user && user_allowed?(user) && user.can?(:download_code, project) build_status_object(true) else diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index 1addba55787..66e87e57cbc 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -46,6 +46,25 @@ describe Gitlab::GitAccess do it { subject.allowed?.should be_false } end end + + describe 'deploy key permissions' do + let(:key) { create(:deploy_key) } + + context 'pull code' do + context 'allowed' do + before { key.projects << project } + subject { access.download_access_check(key, project) } + + it { subject.allowed?.should be_true } + end + + context 'denied' do + subject { access.download_access_check(key, project) } + + it { subject.allowed?.should be_false } + end + end + end end describe 'push_access_check' do |