Extract a `ProtectedBranchAccessEe` module

- EE-specific protected branch access level code lives in this new module, while CE or CE/EE code lives in the existing `ProtectedBranchAccess` module. This allows us to make changes without introducing conflicts. - The access level model classes first include `ProtectedBranchAccess`, followed by `ProtectedBranchAccessEe`, which preserves the inheritance chain: {Push,Merge}AccessLevel > ProtectedBranchAccessEe > ProtectedBranchAccess

Extract a `ProtectedBranchAccessEe` module
- EE-specific protected branch access level code lives in this new module, while CE or CE/EE code lives in the existing `ProtectedBranchAccess` module. This allows us to make changes without introducing conflicts. - The access level model classes first include `ProtectedBranchAccess`, followed by `ProtectedBranchAccessEe`, which preserves the inheritance chain: {Push,Merge}AccessLevel > ProtectedBranchAccessEe > ProtectedBranchAccess
323ed342 · Timothy Andrew · 05610a23 · 323ed342 · 323ed342 · 323ed342
Commit 323ed342 authored Nov 29, 2016 by Timothy Andrew
4 changed files
--- a/app/models/concerns/protected_branch_access.rb
+++ b/app/models/concerns/protected_branch_access.rb
@@ -2,12 +2,6 @@ module ProtectedBranchAccess
  extend ActiveSupport::Concern
  included do
-    validates_uniqueness_of :group_id, scope: :protected_branch, allow_nil: true
-    validates_uniqueness_of :user_id, scope: :protected_branch, allow_nil: true
-    validates_uniqueness_of :access_level,
-                            scope: :protected_branch,
-                            unless: Proc.new { |access_level| access_level.user_id? || access_level.group_id? },
-                            conditions: -> { where(user_id: nil, group_id: nil) }
    belongs_to :protected_branch
    delegate :project, to: :protected_branch
@@ -15,21 +9,14 @@ module ProtectedBranchAccess
    scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
  end
-  def type
+  def humanize
-    if self.user.present?
+    self.class.human_access_levels[self.access_level]
-      :user
-    elsif self.group.present?
-      :group
-    else
-      :role
-    end
  end
-  def humanize
+  def check_access(user)
-    return self.user.name if self.user.present?
+    return true if user.is_admin?
-    return self.group.name if self.group.present?
-    self.class.human_access_levels[self.access_level]
+    project.team.max_member_access(user.id) >= access_level
  end
  def check_access(user)

--- a/app/models/concerns/protected_branch_access_ee.rb
+++ b/app/models/concerns/protected_branch_access_ee.rb
+# EE-specific code related to protected branch access levels.
+#
+# Note: Include `ProtectedBranchAccess` _before_ including this module, since
+# a number of methods here override methods in `ProtectedBranchAccess`
+module ProtectedBranchAccessEe
+  extend ActiveSupport::Concern
+  included do
+    belongs_to :user
+    belongs_to :group
+    validates_uniqueness_of :group_id, scope: :protected_branch, allow_nil: true
+    validates_uniqueness_of :user_id, scope: :protected_branch, allow_nil: true
+    validates_uniqueness_of :access_level,
+                            scope: :protected_branch,
+                            if: :role?,
+                            conditions: -> { where(user_id: nil, group_id: nil) }
+    scope :by_user, -> (user) { where(user: user ) }
+    scope :by_group, -> (group) { where(group: group ) }
+  end
+  def type
+    if self.user.present?
+      :user
+    elsif self.group.present?
+      :group
+    else
+      :role
+    end
+  end
+  # Is this a role-based access level?
+  def role?
+    type == :role
+  end
+  def humanize
+    return self.user.name if self.user.present?
+    return self.group.name if self.group.present?
+    super
+  end
+  def check_access(user)
+    return true if user.is_admin?
+    return user.id == self.user_id if self.user.present?
+    return group.users.exists?(user.id) if self.group.present?
+    super
+  end
+end
--- a/app/models/protected_branch/merge_access_level.rb
+++ b/app/models/protected_branch/merge_access_level.rb
 class ProtectedBranch::MergeAccessLevel < ActiveRecord::Base
  include ProtectedBranchAccess
+  include ProtectedBranchAccessEe
-  belongs_to :user
-  belongs_to :group
  validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER,
                                                             Gitlab::Access::DEVELOPER] }
-  scope :by_user, -> (user) { where(user: user ) }
-  scope :by_group, -> (group) { where(group: group ) }
  def self.human_access_levels
    {
      Gitlab::Access::MASTER => "Masters",
      Gitlab::Access::DEVELOPER => "Developers + Masters"
    }.with_indifferent_access
  end
-  def check_access(user)
-    return true if user.is_admin?
-    return user.id == self.user_id if self.user.present?
-    return group.users.exists?(user.id) if self.group.present?
-    super
-  end
 end
--- a/app/models/protected_branch/push_access_level.rb
+++ b/app/models/protected_branch/push_access_level.rb
 class ProtectedBranch::PushAccessLevel < ActiveRecord::Base
  include ProtectedBranchAccess
+  include ProtectedBranchAccessEe
-  belongs_to :user
-  belongs_to :group
  validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER,
                                                             Gitlab::Access::DEVELOPER,
                                                             Gitlab::Access::NO_ACCESS] }
-  scope :by_user, -> (user) { where(user: user ) }
-  scope :by_group, -> (group) { where(group: group ) }
  def self.human_access_levels
    {
      Gitlab::Access::MASTER => "Masters",
@@ -21,9 +16,6 @@ class ProtectedBranch::PushAccessLevel < ActiveRecord::Base
  def check_access(user)
    return false if access_level == Gitlab::Access::NO_ACCESS
-    return true if user.is_admin?
-    return user.id == self.user_id if self.user.present?
-    return group.users.exists?(user.id) if self.group.present?
    super
  end