Commit 06b7907c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Fix deploy keys permission check in internal api

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 30e28a7e
...@@ -8,15 +8,7 @@ module Gitlab ...@@ -8,15 +8,7 @@ module Gitlab
def check(actor, cmd, project, changes = nil) def check(actor, cmd, project, changes = nil)
case cmd case cmd
when *DOWNLOAD_COMMANDS when *DOWNLOAD_COMMANDS
if actor.is_a? User
download_access_check(actor, project) download_access_check(actor, project)
elsif actor.is_a? DeployKey
actor.projects.include?(project)
elsif actor.is_a? Key
download_access_check(actor.user, project)
else
raise 'Wrong actor'
end
when *PUSH_COMMANDS when *PUSH_COMMANDS
if actor.is_a? User if actor.is_a? User
push_access_check(actor, project, changes) push_access_check(actor, project, changes)
...@@ -32,7 +24,23 @@ module Gitlab ...@@ -32,7 +24,23 @@ module Gitlab
end end
end end
def download_access_check(user, project) def download_access_check(actor, project)
if actor.is_a?(User)
user_download_access_check(actor, project)
elsif actor.is_a?(DeployKey)
if actor.projects.include?(project)
build_status_object(true)
else
build_status_object(false, "Deploy key not allowed to access this project")
end
elsif actor.is_a? Key
user_download_access_check(actor.user, project)
else
raise 'Wrong actor'
end
end
def user_download_access_check(user, project)
if user && user_allowed?(user) && user.can?(:download_code, project) if user && user_allowed?(user) && user.can?(:download_code, project)
build_status_object(true) build_status_object(true)
else else
......
...@@ -46,6 +46,25 @@ describe Gitlab::GitAccess do ...@@ -46,6 +46,25 @@ describe Gitlab::GitAccess do
it { subject.allowed?.should be_false } it { subject.allowed?.should be_false }
end end
end end
describe 'deploy key permissions' do
let(:key) { create(:deploy_key) }
context 'pull code' do
context 'allowed' do
before { key.projects << project }
subject { access.download_access_check(key, project) }
it { subject.allowed?.should be_true }
end
context 'denied' do
subject { access.download_access_check(key, project) }
it { subject.allowed?.should be_false }
end
end
end
end end
describe 'push_access_check' do describe 'push_access_check' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment