Commit 55c67b9a authored by Imre Farkas's avatar Imre Farkas

Merge branch '300291-fj-forbid-to-group-wikis-when-read-only' into 'master'

Forbid git pushes to group wikis when repo is read only

See merge request gitlab-org/gitlab!52801
parents e7a30261 e0d827ed
---
title: Forbid git pushes to group wikis when repo is read only
merge_request: 52801
author:
type: added
...@@ -9,7 +9,8 @@ module EE ...@@ -9,7 +9,8 @@ module EE
ERROR_MESSAGES = { ERROR_MESSAGES = {
write_to_group_wiki: "You are not allowed to write to this group's wiki.", write_to_group_wiki: "You are not allowed to write to this group's wiki.",
group_not_found: 'The group you were looking for could not be found.', group_not_found: 'The group you were looking for could not be found.',
no_group_repo: 'A repository for this group wiki does not exist yet.' no_group_repo: 'A repository for this group wiki does not exist yet.',
repo_read_only: 'The repository is temporarily read-only. Please try again later.'
}.freeze }.freeze
override :group override :group
...@@ -26,9 +27,13 @@ module EE ...@@ -26,9 +27,13 @@ module EE
override :check_push_access! override :check_push_access!
def check_push_access! def check_push_access!
return check_change_access! if group? return super unless group?
super if group.repository_read_only?
raise ::Gitlab::GitAccess::ForbiddenError, ERROR_MESSAGES[:repo_read_only]
end
check_change_access!
end end
override :write_to_wiki_message override :write_to_wiki_message
......
...@@ -42,7 +42,16 @@ RSpec.describe Gitlab::GitAccessWiki do ...@@ -42,7 +42,16 @@ RSpec.describe Gitlab::GitAccessWiki do
end end
it 'does not give access to upload wiki code' do it 'does not give access to upload wiki code' do
expect { subject }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You can't push code to a read-only GitLab instance.") expect { subject }.to raise_forbidden("You can't push code to a read-only GitLab instance.")
end
end
context 'when group is read-only' do
it 'does not allow push and allows pull access' do
allow(group).to receive(:repository_read_only?).and_return(true)
expect { push_changes(changes) }.to raise_forbidden('The repository is temporarily read-only. Please try again later.')
expect { pull_changes(changes) }.not_to raise_error
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment