Commit 97332a67 authored by James Edwards-Jones's avatar James Edwards-Jones

Extract ProtectedRef Concern

parent 1d4335d9
module ProtectedRef
extend ActiveSupport::Concern
included do
belongs_to :project
validates :name, presence: true
validates :project, presence: true
def self.matching_refs_accesible_to(ref, user, action: :push)
access_levels_for_ref(ref, action).any? do |access_level|
access_level.check_access(user)
end
end
def self.access_levels_for_ref(ref, action: :push)
self.matching(ref).map(&:"@#{action}_access_levels").flatten
end
private
def self.matching(ref_name, protected_refs: nil)
ProtectedRefMatcher.matching(self, ref_name, protected_refs: protected_refs)
end
end
def commit
project.commit(self.name)
end
def matching(refs)
ref_matcher.matching(refs)
end
def matches?(refs)
ref_matcher.matches?(refs)
end
def wildcard?
ref_matcher.wildcard?
end
private
def ref_matcher
@ref_matcher ||= ProtectedRefMatcher.new(self)
end
end
...@@ -1011,14 +1011,14 @@ class Project < ActiveRecord::Base ...@@ -1011,14 +1011,14 @@ class Project < ActiveRecord::Base
return true if empty_repo? && default_branch_protected? return true if empty_repo? && default_branch_protected?
@protected_branches ||= self.protected_branches.to_a @protected_branches ||= self.protected_branches.to_a
ProtectedBranch.matching(branch_name, protected_branches: @protected_branches).present? ProtectedBranch.matching(branch_name, protected_refs: @protected_branches).present?
end end
#TODO: Move elsewhere #TODO: Move elsewhere
def protected_tag?(tag_name) def protected_tag?(tag_name)
#TODO: Check if memoization necessary, find way to have it work elsewhere #TODO: Check if memoization necessary, find way to have it work elsewhere
@protected_tags ||= self.protected_tags.to_a @protected_tags ||= self.protected_tags.to_a
ProtectedTag.matching(tag_name, protected_tags: @protected_tags).present? ProtectedTag.matching(tag_name, protected_refs: @protected_tags).present?
end end
def user_can_push_to_empty_repo?(user) def user_can_push_to_empty_repo?(user)
......
class ProtectedBranch < ActiveRecord::Base class ProtectedBranch < ActiveRecord::Base
include Gitlab::ShellAdapter include Gitlab::ShellAdapter
include ProtectedRef
belongs_to :project
validates :name, presence: true
validates :project, presence: true
has_many :merge_access_levels, dependent: :destroy has_many :merge_access_levels, dependent: :destroy
has_many :push_access_levels, dependent: :destroy has_many :push_access_levels, dependent: :destroy
...@@ -30,26 +27,6 @@ class ProtectedBranch < ActiveRecord::Base ...@@ -30,26 +27,6 @@ class ProtectedBranch < ActiveRecord::Base
# access to the given group. # access to the given group.
scope :push_access_by_group, -> (group) { PushAccessLevel.joins(:protected_branch).where(protected_branch_id: self.ids).merge(PushAccessLevel.by_group(group)) } scope :push_access_by_group, -> (group) { PushAccessLevel.joins(:protected_branch).where(protected_branch_id: self.ids).merge(PushAccessLevel.by_group(group)) }
def commit
project.commit(self.name)
end
def self.matching(branch_name, protected_branches: nil)
ProtectedRefMatcher.matching(ProtectedBranch, branch_name, protected_refs: protected_branches)
end
def matching(branches)
ref_matcher.matching(branches)
end
def matches?(branch_name)
ref_matcher.matches?(branch_name)
end
def wildcard?
ref_matcher.wildcard?
end
# Returns a hash were keys are types of push access levels (user, role), and # Returns a hash were keys are types of push access levels (user, role), and
# values are the number of access levels of the particular type. # values are the number of access levels of the particular type.
def push_access_level_frequencies def push_access_level_frequencies
...@@ -67,10 +44,4 @@ class ProtectedBranch < ActiveRecord::Base ...@@ -67,10 +44,4 @@ class ProtectedBranch < ActiveRecord::Base
frequencies frequencies
end end
end end
private
def ref_matcher
@ref_matcher ||= ProtectedRefMatcher.new(self)
end
end end
class ProtectedTag < ActiveRecord::Base class ProtectedTag < ActiveRecord::Base
include Gitlab::ShellAdapter include Gitlab::ShellAdapter
include ProtectedRef
belongs_to :project
validates :name, presence: true
validates :project, presence: true
has_many :push_access_levels, dependent: :destroy has_many :push_access_levels, dependent: :destroy
validates :push_access_levels, length: { is: 1, message: "are restricted to a single instance per protected tag." } validates :push_access_levels, length: { is: 1, message: "are restricted to a single instance per protected tag." }
accepts_nested_attributes_for :push_access_levels accepts_nested_attributes_for :push_access_levels
def commit
project.commit(self.name)
end
def self.matching(tag_name, protected_tags: nil)
ProtectedRefMatcher.matching(ProtectedTag, tag_name, protected_refs: protected_tags)
end
def matching(branches)
ref_matcher.matching(branches)
end
def matches?(tag_name)
ref_matcher.matches?(tag_name)
end
def wildcard?
ref_matcher.wildcard?
end
private
def ref_matcher
@ref_matcher ||= ProtectedRefMatcher.new(self)
end
end end
...@@ -215,13 +215,13 @@ module API ...@@ -215,13 +215,13 @@ module API
expose :developers_can_push do |repo_branch, options| expose :developers_can_push do |repo_branch, options|
project = options[:project] project = options[:project]
access_levels = project.protected_branches.matching(repo_branch.name).map(&:push_access_levels).flatten access_levels = project.protected_branches.access_levels_for_ref(repo_branch.name, :push)
access_levels.any? { |access_level| access_level.access_level == Gitlab::Access::DEVELOPER } access_levels.any? { |access_level| access_level.access_level == Gitlab::Access::DEVELOPER }
end end
expose :developers_can_merge do |repo_branch, options| expose :developers_can_merge do |repo_branch, options|
project = options[:project] project = options[:project]
access_levels = project.protected_branches.matching(repo_branch.name).map(&:merge_access_levels).flatten access_levels = project.protected_branches.access_levels_for_ref(repo_branch.name, :merge)
access_levels.any? { |access_level| access_level.access_level == Gitlab::Access::DEVELOPER } access_levels.any? { |access_level| access_level.access_level == Gitlab::Access::DEVELOPER }
end end
end end
......
...@@ -35,10 +35,7 @@ module Gitlab ...@@ -35,10 +35,7 @@ module Gitlab
return false unless can_access_git? return false unless can_access_git?
if project.protected_tag?(ref) if project.protected_tag?(ref)
access_levels = project.protected_tags.matching(ref).map(&:push_access_levels).flatten project.protected_tags.matching_refs_accesible_to(ref, user)
has_access = access_levels.any? { |access_level| access_level.check_access(user) }
has_access
else else
user.can?(:push_code, project) user.can?(:push_code, project)
end end
...@@ -50,8 +47,7 @@ module Gitlab ...@@ -50,8 +47,7 @@ module Gitlab
if project.protected_branch?(ref) if project.protected_branch?(ref)
return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user) return true if project.empty_repo? && project.user_can_push_to_empty_repo?(user)
access_levels = project.protected_branches.matching(ref).map(&:push_access_levels).flatten has_access = project.protected_branches.matching_refs_accesible_to(ref, user, action: :push)
has_access = access_levels.any? { |access_level| access_level.check_access(user) }
has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref) has_access || !project.repository.branch_exists?(ref) && can_merge_to_branch?(ref)
else else
...@@ -63,8 +59,7 @@ module Gitlab ...@@ -63,8 +59,7 @@ module Gitlab
return false unless can_access_git? return false unless can_access_git?
if project.protected_branch?(ref) if project.protected_branch?(ref)
access_levels = project.protected_branches.matching(ref).map(&:merge_access_levels).flatten project.protected_branches.matching_refs_accesible_to(ref, user, action: :merge)
access_levels.any? { |access_level| access_level.check_access(user) }
else else
user.can?(:push_code, project) user.can?(:push_code, project)
end end
......
...@@ -212,8 +212,8 @@ describe ProtectedBranch, models: true do ...@@ -212,8 +212,8 @@ describe ProtectedBranch, models: true do
staging = build(:protected_branch, name: "staging") staging = build(:protected_branch, name: "staging")
expect(ProtectedBranch.matching("production")).to be_empty expect(ProtectedBranch.matching("production")).to be_empty
expect(ProtectedBranch.matching("production", protected_branches: [production, staging])).to include(production) expect(ProtectedBranch.matching("production", protected_refs: [production, staging])).to include(production)
expect(ProtectedBranch.matching("production", protected_branches: [production, staging])).not_to include(staging) expect(ProtectedBranch.matching("production", protected_refs: [production, staging])).not_to include(staging)
end end
end end
...@@ -231,8 +231,8 @@ describe ProtectedBranch, models: true do ...@@ -231,8 +231,8 @@ describe ProtectedBranch, models: true do
staging = build(:protected_branch, name: "staging/*") staging = build(:protected_branch, name: "staging/*")
expect(ProtectedBranch.matching("production/some-branch")).to be_empty expect(ProtectedBranch.matching("production/some-branch")).to be_empty
expect(ProtectedBranch.matching("production/some-branch", protected_branches: [production, staging])).to include(production) expect(ProtectedBranch.matching("production/some-branch", protected_refs: [production, staging])).to include(production)
expect(ProtectedBranch.matching("production/some-branch", protected_branches: [production, staging])).not_to include(staging) expect(ProtectedBranch.matching("production/some-branch", protected_refs: [production, staging])).not_to include(staging)
end end
end end
end end
......
...@@ -6,7 +6,6 @@ describe ProtectedTags::CreateService, services: true do ...@@ -6,7 +6,6 @@ describe ProtectedTags::CreateService, services: true do
let(:params) do let(:params) do
{ {
name: 'master', name: 'master',
merge_access_levels_attributes: [{ access_level: Gitlab::Access::MASTER }],
push_access_levels_attributes: [{ access_level: Gitlab::Access::MASTER }] push_access_levels_attributes: [{ access_level: Gitlab::Access::MASTER }]
} }
end end
...@@ -17,7 +16,6 @@ describe ProtectedTags::CreateService, services: true do ...@@ -17,7 +16,6 @@ describe ProtectedTags::CreateService, services: true do
it 'creates a new protected tag' do it 'creates a new protected tag' do
expect { service.execute }.to change(ProtectedTag, :count).by(1) expect { service.execute }.to change(ProtectedTag, :count).by(1)
expect(project.protected_tags.last.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::MASTER]) expect(project.protected_tags.last.push_access_levels.map(&:access_level)).to eq([Gitlab::Access::MASTER])
expect(project.protected_tags.last.merge_access_levels.map(&:access_level)).to eq([Gitlab::Access::MASTER])
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment