Prevent git push on secondary geo nodes.

7560abb3 · Gabriel Mazetto · 77456854 · 7560abb3 · 7560abb3 · 7560abb3
Commit 7560abb3 authored Feb 20, 2016 by Gabriel Mazetto
4 changed files
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -113,6 +113,10 @@ module Gitlab
        return build_status_object(false, "A repository for this project does not exist yet.")
      end

+      if Gitlab::Geo.enabled? && Gitlab::Geo.readonly?
+        return build_status_object(false, "You can't push code on a secondary Gitlab Geo node.")
+      end
+
      if ::License.block_changes?
        message = ::LicenseHelper.license_message(signed_in: true, is_admin: (user && user.is_admin?))
        return build_status_object(false, message)

--- a/lib/gitlab/git_access_wiki.rb
+++ b/lib/gitlab/git_access_wiki.rb
 module Gitlab
  class GitAccessWiki < GitAccess
    def change_access_check(change)
-      if user.can?(:create_wiki, project)
+      if Gitlab::Geo.enabled? && Gitlab::Geo.readonly?
+        build_status_object(false, "You can't push code on a secondary Gitlab Geo node.")
+      elsif user.can?(:create_wiki, project)
        build_status_object(true)
      else
        build_status_object(false, "You are not allowed to write to this project's wiki.")

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -249,6 +249,28 @@ describe Gitlab::GitAccess, lib: true do
      end
    end

+    context "when in a readonly gitlab geo node" do
+      before do
+        allow(Gitlab::Geo).to receive(:enabled?) { true }
+        allow(Gitlab::Geo).to receive(:readonly?) { true }
+      end
+
+      permissions_matrix.keys.each do |role|
+        describe "#{role} access" do
+          before { protect_feature_branch }
+          before { project.team << [user, role] }
+
+          permissions_matrix[role].each do |action, allowed|
+            context action do
+              subject { access.push_access_check(changes[action]) }
+
+              it { expect(subject.allowed?).to be_falsey }
+            end
+          end
+        end
+      end
+    end
+
    context "when using git annex" do
      before { project.team << [user, :master] }


--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -4,19 +4,28 @@ describe Gitlab::GitAccessWiki, lib: true do
  let(:access) { Gitlab::GitAccessWiki.new(user, project) }
  let(:project) { create(:project) }
  let(:user) { create(:user) }
+  let(:changes) { ['6f6d7e7ed 570e7b2ab refs/heads/master'] }

-  describe 'push_allowed?' do
-    before do
-      create(:protected_branch, name: 'master', project: project)
-      project.team << [user, :developer]
-    end
+  describe '#push_access_check' do
+    context 'when user can :create_wiki' do
+      before do
+        create(:protected_branch, name: 'master', project: project)
+        project.team << [user, :developer]
+      end

-    subject { access.push_access_check(changes) }
+      subject { access.push_access_check(changes) }

-    it { expect(subject.allowed?).to be_truthy }
-  end
+      it { expect(subject.allowed?).to be_truthy }
+
+      context 'when in a readonly gitlab geo node' do
+        before do
+          allow(Gitlab::Geo).to receive(:enabled?) { true }
+          allow(Gitlab::Geo).to receive(:readonly?) { true }
+        end
+
+        it { expect(subject.allowed?).to be_falsey }
+      end
+    end

-  def changes
-    ['6f6d7e7ed 570e7b2ab refs/heads/master']
  end
 end