diff options
| -rw-r--r-- | lib/api/internal.rb | 13 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 43 | ||||
| -rw-r--r-- | lib/gitlab/git_access_wiki.rb | 7 | ||||
| -rw-r--r-- | spec/lib/gitlab/git_access_wiki_spec.rb | 22 |
4 files changed, 63 insertions, 22 deletions
diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 5f484f63418..94aa2f78c2e 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -14,13 +14,20 @@ module API # post "/allowed" do status 200 + project_path = params[:project] # Check for *.wiki repositories. # Strip out the .wiki from the pathname before finding the # project. This applies the correct project permissions to # the wiki repository as well. - project_path = params[:project] - project_path.gsub!(/\.wiki/,'') if project_path =~ /\.wiki/ + access = + if project_path =~ /\.wiki\Z/ + project_path = project_path[0..-6] + Gitlab::GitAccessWiki.new + else + Gitlab::GitAccess.new + end + project = Project.find_with_namespace(project_path) return false unless project @@ -32,7 +39,7 @@ module API return false unless actor - Gitlab::GitAccess.new.allowed?( + access.allowed?( actor, params[:action], project, diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 6247dd59867..b768a99a0e8 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -49,25 +49,7 @@ module Gitlab # Iterate over all changes to find if user allowed all of them to be applied changes.each do |change| - oldrev, newrev, ref = change.split(' ') - - action = if project.protected_branch?(branch_name(ref)) - # we dont allow force push to protected branch - if forced_push?(project, oldrev, newrev) - :force_push_code_to_protected_branches - # and we dont allow remove of protected branch - elsif newrev =~ /0000000/ - :remove_protected_branches - else - :push_code_to_protected_branches - end - elsif project.repository && project.repository.tag_names.include?(tag_name(ref)) - # Prevent any changes to existing git tag unless user has permissions - :admin_project - else - :push_code - end - unless user.can?(action, project) + unless change_allowed?(user, project, change) # If user does not have access to make at least one change - cancel all push return false end @@ -77,6 +59,29 @@ module Gitlab true end + def change_allowed?(user, project, change) + oldrev, newrev, ref = change.split(' ') + + action = if project.protected_branch?(branch_name(ref)) + # we dont allow force push to protected branch + if forced_push?(project, oldrev, newrev) + :force_push_code_to_protected_branches + # and we dont allow remove of protected branch + elsif newrev =~ /0000000/ + :remove_protected_branches + else + :push_code_to_protected_branches + end + elsif project.repository && project.repository.tag_names.include?(tag_name(ref)) + # Prevent any changes to existing git tag unless user has permissions + :admin_project + else + :push_code + end + + user.can?(action, project) + end + def forced_push?(project, oldrev, newrev) return false if project.empty_repo? diff --git a/lib/gitlab/git_access_wiki.rb b/lib/gitlab/git_access_wiki.rb new file mode 100644 index 00000000000..9f0eb3be20f --- /dev/null +++ b/lib/gitlab/git_access_wiki.rb @@ -0,0 +1,7 @@ +module Gitlab + class GitAccessWiki < GitAccess + def change_allowed?(user, project, change) + user.can?(:write_wiki, project) + end + end +end diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb new file mode 100644 index 00000000000..ed5785b31e6 --- /dev/null +++ b/spec/lib/gitlab/git_access_wiki_spec.rb @@ -0,0 +1,22 @@ +require 'spec_helper' + +describe Gitlab::GitAccessWiki do + let(:access) { Gitlab::GitAccessWiki.new } + let(:project) { create(:project) } + let(:user) { create(:user) } + + describe 'push_allowed?' do + before do + create(:protected_branch, name: 'master', project: project) + project.team << [user, :developer] + end + + subject { access.push_allowed?(user, project, changes) } + + it { should be_true } + end + + def changes + ['6f6d7e7ed 570e7b2ab refs/heads/master'] + end +end |