Cleanup & tests for UserAccess#can_create_tag?

63422647 · James Edwards-Jones · 8f3b901c · 63422647 · 63422647 · 63422647
Commit 63422647 authored Apr 04, 2017 by James Edwards-Jones
4 changed files
--- a/app/models/concerns/protected_ref.rb
+++ b/app/models/concerns/protected_ref.rb
@@ -8,7 +8,7 @@ module ProtectedRef
    delegate :matching, :matches?, :wildcard?, to: :ref_matcher
-    def self.matching_refs_accesible_to(ref, user, action: :push)
+    def self.protected_ref_accessible_to?(ref, user, action: :push)
      access_levels_for_ref(ref, action: action).any? do |access_level|
        access_level.check_access(user)
      end

--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -81,7 +81,7 @@ module Gitlab
          return "Protected tags cannot be deleted."
        end
-        unless user_access.can_push_tag?(@tag_name)
+        unless user_access.can_create_tag?(@tag_name)
          return "You are not allowed to create this tag as it is protected."
        end
      end

--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -28,14 +28,11 @@ module Gitlab
      true
    end
-    #TODO: Test this
+    def can_create_tag?(ref)
-    #TODO move most to ProtectedTag::AccessChecker. Or maybe UserAccess::Protections::Tag
-    #TODO: then consider removing method, if it turns out can_access_git? and can?(:push_code are checked in change_access
-    def can_push_tag?(ref)
      return false unless can_access_git?
      if ProtectedTag.protected?(project, ref)
-        project.protected_tags.matching_refs_accesible_to(ref, user)
+        project.protected_tags.protected_ref_accessible_to?(ref, user)
      else
        user.can?(:push_code, project)
      end
@@ -47,7 +44,7 @@ module Gitlab
      if ProtectedBranch.protected?(project, ref)
        return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
-        has_access = project.protected_branches.matching_refs_accesible_to(ref, user, action: :push)
+        has_access = project.protected_branches.protected_ref_accessible_to?(ref, user, action: :push)
        has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
      else
@@ -59,7 +56,7 @@ module Gitlab
      return false unless can_access_git?
      if ProtectedBranch.protected?(project, ref)
-        project.protected_branches.matching_refs_accesible_to(ref, user, action: :merge)
+        project.protected_branches.protected_ref_accessible_to?(ref, user, action: :merge)
      else
        user.can?(:push_code, project)
      end

--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -142,4 +142,74 @@ describe Gitlab::UserAccess, lib: true do
      end
    end
  end
+  describe 'can_create_tag?' do
+    describe 'push to none protected tag' do
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+        expect(access.can_create_tag?('random_tag')).to be_falsey
+      end
+    end
+    describe 'push to protected tag' do
+      let(:tag) { create(:protected_tag, project: project, name: "test") }
+      let(:not_existing_tag) { create :protected_tag, project: project }
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+        expect(access.can_create_tag?(tag.name)).to be_truthy
+      end
+      it 'returns false if user is a developer' do
+        project.add_user(user, :developer)
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+    end
+    describe 'push to protected tag if allowed for developers' do
+      before do
+        @tag = create(:protected_tag, :developers_can_push, project: project)
+      end
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+        expect(access.can_create_tag?(@tag.name)).to be_falsey
+      end
+    end
+  end
 end