Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
37d37488
Commit
37d37488
authored
Feb 17, 2021
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Merge branch 'id-restrict-protected-rules' into 'master'"
This reverts merge request !52319
parent
8a6ee3ab
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
5 additions
and
93 deletions
+5
-93
app/models/concerns/protected_ref.rb
app/models/concerns/protected_ref.rb
+5
-11
changelogs/unreleased/id-restrict-protected-rules.yml
changelogs/unreleased/id-restrict-protected-rules.yml
+0
-5
spec/models/concerns/protected_ref_spec.rb
spec/models/concerns/protected_ref_spec.rb
+0
-77
No files found.
app/models/concerns/protected_ref.rb
View file @
37d37488
...
...
@@ -40,26 +40,20 @@ module ProtectedRef
end
def
protected_ref_accessible_to?
(
ref
,
user
,
project
:,
action
:,
protected_refs:
nil
)
a
ll_matching_rules_allow?
(
ref
,
action:
action
,
protected_refs:
protected_refs
)
do
|
access_level
|
a
ccess_levels_for_ref
(
ref
,
action:
action
,
protected_refs:
protected_refs
).
any?
do
|
access_level
|
access_level
.
check_access
(
user
)
end
end
def
developers_can?
(
action
,
ref
,
protected_refs:
nil
)
a
ll_matching_rules_allow?
(
ref
,
action:
action
,
protected_refs:
protected_refs
)
do
|
access_level
|
a
ccess_levels_for_ref
(
ref
,
action:
action
,
protected_refs:
protected_refs
).
any?
do
|
access_level
|
access_level
.
access_level
==
Gitlab
::
Access
::
DEVELOPER
end
end
def
all_matching_rules_allow?
(
ref
,
action
:,
protected_refs:
nil
,
&
block
)
access_levels_groups
=
self
.
matching
(
ref
,
protected_refs:
protected_refs
).
map
(
&
:"
#{
action
}
_access_levels"
)
return
false
if
access_levels_groups
.
blank?
access_levels_groups
.
all?
do
|
access_levels
|
access_levels
.
any?
(
&
block
)
end
def
access_levels_for_ref
(
ref
,
action
:,
protected_refs:
nil
)
self
.
matching
(
ref
,
protected_refs:
protected_refs
)
.
flat_map
(
&
:"
#{
action
}
_access_levels"
)
end
# Returns all protected refs that match the given ref name.
...
...
changelogs/unreleased/id-restrict-protected-rules.yml
deleted
100644 → 0
View file @
8a6ee3ab
---
title
:
Most restrictive protected branch rule takes precedence
merge_request
:
52319
author
:
type
:
fixed
spec/models/concerns/protected_ref_spec.rb
deleted
100644 → 0
View file @
8a6ee3ab
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
ProtectedRef
do
using
RSpec
::
Parameterized
::
TableSyntax
let_it_be
(
:project
)
{
create
(
:project
,
:repository
)
}
let_it_be
(
:user
)
{
create
(
:user
,
maintainer_projects:
[
project
])
}
where
(
:klass
,
:factory
,
:action
)
do
ProtectedBranch
|
:protected_branch
|
:push
ProtectedTag
|
:protected_tag
|
:create
end
with_them
do
describe
'#protected_ref_accessible_to?'
do
subject
do
klass
.
protected_ref_accessible_to?
(
'release'
,
user
,
project:
project
,
action:
action
)
end
it
'user cannot do action if rules do not exist'
do
is_expected
.
to
be_falsy
end
context
'the ref is protected'
do
let!
(
:default_rule
)
{
create
(
factory
,
:"developers_can_
#{
action
}
"
,
project:
project
,
name:
'release'
)
}
context
'all rules permit action'
do
let!
(
:maintainers_can
)
{
create
(
factory
,
:"maintainers_can_
#{
action
}
"
,
project:
project
,
name:
'release*'
)
}
it
'user can do action'
do
is_expected
.
to
be_truthy
end
end
context
'one of the rules forbids action'
do
let!
(
:no_one_can
)
{
create
(
factory
,
:"no_one_can_
#{
action
}
"
,
project:
project
,
name:
'release*'
)
}
it
'user cannot do action'
do
is_expected
.
to
be_falsy
end
end
end
end
describe
'#developers_can?'
do
subject
do
klass
.
developers_can?
(
action
,
'release'
)
end
it
'developers cannot do action if rules do not exist'
do
is_expected
.
to
be_falsy
end
context
'the ref is protected'
do
let!
(
:default_rule
)
{
create
(
factory
,
:"developers_can_
#{
action
}
"
,
project:
project
,
name:
'release'
)
}
context
'all rules permit developers to do action'
do
let!
(
:developers_can
)
{
create
(
factory
,
:"developers_can_
#{
action
}
"
,
project:
project
,
name:
'release*'
)
}
it
'developers can do action'
do
is_expected
.
to
be_truthy
end
end
context
'one of the rules forbids developers to do action'
do
let!
(
:maintainers_can
)
{
create
(
factory
,
:"maintainers_can_
#{
action
}
"
,
project:
project
,
name:
'release*'
)
}
it
'developers cannot do action'
do
is_expected
.
to
be_falsy
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment