Commit d5acb69e authored by James Edwards-Jones's avatar James Edwards-Jones

Protected Tags prevents all updates instead of just force pushes.

This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
parent ff2713a5
...@@ -8,8 +8,8 @@ ...@@ -8,8 +8,8 @@
%p.prepend-top-20 %p.prepend-top-20
By default, Protected tags are designed to: By default, Protected tags are designed to:
%ul %ul
%li Prevent tag pushes from everybody except Masters %li Prevent tag creation by everybody except Masters
%li Prevent <strong>anyone</strong> from force pushing to the tag %li Prevent <strong>anyone</strong> from updating the tag
%li Prevent <strong>anyone</strong> from deleting the tag %li Prevent <strong>anyone</strong> from deleting the tag
.col-lg-9 .col-lg-9
- if can? current_user, :admin_project, @project - if can? current_user, :admin_project, @project
......
...@@ -37,7 +37,7 @@ module Gitlab ...@@ -37,7 +37,7 @@ module Gitlab
if forced_push? if forced_push?
return "You are not allowed to force push code to a protected branch on this project." return "You are not allowed to force push code to a protected branch on this project."
elsif blank_ref? elsif deletion?
return "You are not allowed to delete protected branches from this project." return "You are not allowed to delete protected branches from this project."
end end
...@@ -62,7 +62,7 @@ module Gitlab ...@@ -62,7 +62,7 @@ module Gitlab
return unless @tag_name return unless @tag_name
if tag_exists? && user_access.cannot_do_action?(:admin_project) if tag_exists? && user_access.cannot_do_action?(:admin_project)
"You are not allowed to change existing tags on this project." return "You are not allowed to change existing tags on this project."
end end
protected_tag_checks protected_tag_checks
...@@ -71,11 +71,11 @@ module Gitlab ...@@ -71,11 +71,11 @@ module Gitlab
def protected_tag_checks def protected_tag_checks
return unless tag_protected? return unless tag_protected?
if forced_push? #TODO: Verify if this should prevent all updates, and mention in UI and documentation if update?
return "Protected tags cannot be updated." return "Protected tags cannot be updated."
end end
if Gitlab::Git.blank_ref?(@newrev) if deletion?
return "Protected tags cannot be deleted." return "Protected tags cannot be deleted."
end end
...@@ -106,7 +106,11 @@ module Gitlab ...@@ -106,7 +106,11 @@ module Gitlab
Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env) Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env)
end end
def blank_ref? def update?
!Gitlab::Git.blank_ref?(@oldrev) && !deletion?
end
def deletion?
Gitlab::Git.blank_ref?(@newrev) Gitlab::Git.blank_ref?(@newrev)
end end
......
...@@ -5,13 +5,10 @@ describe Gitlab::Checks::ChangeAccess, lib: true do ...@@ -5,13 +5,10 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:user_access) { Gitlab::UserAccess.new(user, project: project) } let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
let(:changes) do let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
{ let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c', let(:ref) { 'refs/heads/master' }
newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51', let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
ref: 'refs/heads/master'
}
end
let(:protocol) { 'ssh' } let(:protocol) { 'ssh' }
subject do subject do
...@@ -41,13 +38,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do ...@@ -41,13 +38,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
end end
context 'tags check' do context 'tags check' do
let(:changes) do let(:ref) { 'refs/tags/v1.0.0' }
{
oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51',
ref: 'refs/tags/v1.0.0'
}
end
it 'returns an error if the user is not allowed to update tags' do it 'returns an error if the user is not allowed to update tags' do
allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true) allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
...@@ -60,31 +51,38 @@ describe Gitlab::Checks::ChangeAccess, lib: true do ...@@ -60,31 +51,38 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
context 'with protected tag' do context 'with protected tag' do
let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') } let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }
context 'as master' do
before { project.add_master(user) }
context 'deletion' do context 'deletion' do
let(:changes) do let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
{ let(:newrev) { '0000000000000000000000000000000000000000' }
oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
newrev: '0000000000000000000000000000000000000000',
ref: 'refs/tags/v1.0.0'
}
end
it 'is prevented' do it 'is prevented' do
expect(subject.status).to be(false) expect(subject.status).to be(false)
expect(subject.message).to include('delete protected tags') expect(subject.message).to include('cannot be deleted')
end end
end end
it 'prevents force push' do context 'update' do
expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true) let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
it 'is prevented' do
expect(subject.status).to be(false) expect(subject.status).to be(false)
expect(subject.message).to include('force push protected tags') expect(subject.message).to include('cannot be updated')
end end
end
end
context 'creation' do
let(:oldrev) { '0000000000000000000000000000000000000000' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let(:ref) { 'refs/tags/v9.1.0' }
it 'prevents creation below access level' do it 'prevents creation below access level' do
expect(subject.status).to be(false) expect(subject.status).to be(false)
expect(subject.message).to include('allowed to') expect(subject.message).to include('allowed to create this tag as it is protected')
end end
context 'when user has access' do context 'when user has access' do
...@@ -96,6 +94,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do ...@@ -96,6 +94,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
end end
end end
end end
end
context 'protected branches check' do context 'protected branches check' do
before do before do
...@@ -126,13 +125,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do ...@@ -126,13 +125,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
end end
context 'branch deletion' do context 'branch deletion' do
let(:changes) do let(:newrev) { '0000000000000000000000000000000000000000' }
{
oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
newrev: '0000000000000000000000000000000000000000',
ref: 'refs/heads/master'
}
end
it 'returns an error if the user is not allowed to delete protected branches' do it 'returns an error if the user is not allowed to delete protected branches' do
expect(subject.status).to be(false) expect(subject.status).to be(false)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment