Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
4830b2be
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
4830b2be
编写于
3月 24, 2015
作者:
D
Douwe Maan
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Refactor GitAccess to use instance variables.
上级
2953e0d1
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
132 addition
and
93 deletion
+132
-93
app/controllers/projects/merge_requests_controller.rb
app/controllers/projects/merge_requests_controller.rb
+1
-1
app/helpers/branches_helper.rb
app/helpers/branches_helper.rb
+1
-1
app/helpers/tree_helper.rb
app/helpers/tree_helper.rb
+1
-1
app/services/files/create_service.rb
app/services/files/create_service.rb
+1
-1
app/services/files/delete_service.rb
app/services/files/delete_service.rb
+1
-1
app/services/files/update_service.rb
app/services/files/update_service.rb
+1
-1
lib/api/internal.rb
lib/api/internal.rb
+17
-19
lib/api/merge_requests.rb
lib/api/merge_requests.rb
+2
-1
lib/gitlab/backend/grack_auth.rb
lib/gitlab/backend/grack_auth.rb
+1
-1
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+83
-45
lib/gitlab/git_access_wiki.rb
lib/gitlab/git_access_wiki.rb
+1
-1
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+20
-18
spec/lib/gitlab/git_access_wiki_spec.rb
spec/lib/gitlab/git_access_wiki_spec.rb
+2
-2
未找到文件。
app/controllers/projects/merge_requests_controller.rb
浏览文件 @
4830b2be
...
...
@@ -257,7 +257,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController
end
def
allowed_to_push_code?
(
project
,
branch
)
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
branch
)
::
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
branch
)
end
def
merge_request_params
...
...
app/helpers/branches_helper.rb
浏览文件 @
4830b2be
...
...
@@ -12,6 +12,6 @@ module BranchesHelper
def
can_push_branch?
(
project
,
branch_name
)
return
false
unless
project
.
repository
.
branch_names
.
include?
(
branch_name
)
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
branch_name
)
::
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
branch_name
)
end
end
app/helpers/tree_helper.rb
浏览文件 @
4830b2be
...
...
@@ -56,7 +56,7 @@ module TreeHelper
ref
||=
@ref
return
false
unless
project
.
repository
.
branch_names
.
include?
(
ref
)
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
ref
)
::
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
ref
)
end
def
tree_breadcrumbs
(
tree
,
max_links
=
2
)
...
...
app/services/files/create_service.rb
浏览文件 @
4830b2be
...
...
@@ -3,7 +3,7 @@ require_relative "base_service"
module
Files
class
CreateService
<
BaseService
def
execute
allowed
=
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
ref
)
allowed
=
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
ref
)
unless
allowed
return
error
(
"You are not allowed to create file in this branch"
)
...
...
app/services/files/delete_service.rb
浏览文件 @
4830b2be
...
...
@@ -3,7 +3,7 @@ require_relative "base_service"
module
Files
class
DeleteService
<
BaseService
def
execute
allowed
=
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
ref
)
allowed
=
::
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
ref
)
unless
allowed
return
error
(
"You are not allowed to push into this branch"
)
...
...
app/services/files/update_service.rb
浏览文件 @
4830b2be
...
...
@@ -3,7 +3,7 @@ require_relative "base_service"
module
Files
class
UpdateService
<
BaseService
def
execute
allowed
=
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
project
,
ref
)
allowed
=
::
Gitlab
::
GitAccess
.
new
(
current_user
,
project
).
can_push_to_branch?
(
ref
)
unless
allowed
return
error
(
"You are not allowed to push into this branch"
)
...
...
lib/api/internal.rb
浏览文件 @
4830b2be
...
...
@@ -17,39 +17,37 @@ module API
post
"/allowed"
do
status
200
actor
=
if
params
[
:key_id
]
Key
.
find_by
(
id:
params
[
:key_id
])
elsif
params
[
:user_id
]
User
.
find_by
(
id:
params
[
:user_id
])
end
actor
=
if
params
[
:key_id
]
Key
.
find_by
(
id:
params
[
:key_id
])
elsif
params
[
:user_id
]
User
.
find_by
(
id:
params
[
:user_id
])
end
unless
actor
return
Gitlab
::
GitAccessStatus
.
new
(
false
,
'No such user or key'
)
end
project_path
=
params
[
:project
]
# Check for *.wiki repositories.
# Strip out the .wiki from the pathname before finding the
# project. This applies the correct project permissions to
# the wiki repository as well.
access
=
if
project_path
.
end_with?
(
'.wiki'
)
project_path
.
chomp!
(
'.wiki'
)
Gitlab
::
GitAccessWiki
.
new
else
Gitlab
::
GitAccess
.
new
end
wiki
=
project_path
.
end_with?
(
'.wiki'
)
project_path
.
chomp!
(
'.wiki'
)
if
wiki
project
=
Project
.
find_with_namespace
(
project_path
)
if
project
status
=
access
.
check
(
actor
,
params
[
:action
],
project
,
params
[
:changes
]
)
access
=
if
wiki
Gitlab
::
GitAccessWiki
.
new
(
actor
,
project
)
else
Gitlab
::
GitAccess
.
new
(
actor
,
project
)
end
status
=
access
.
check
(
params
[
:action
],
params
[
:changes
])
end
if
project
&&
status
&&
status
.
allowed?
...
...
lib/api/merge_requests.rb
浏览文件 @
4830b2be
...
...
@@ -178,7 +178,8 @@ module API
put
":id/merge_request/:merge_request_id/merge"
do
merge_request
=
user_project
.
merge_requests
.
find
(
params
[
:merge_request_id
])
allowed
=
::
Gitlab
::
GitAccess
.
can_push_to_branch?
(
current_user
,
user_project
,
merge_request
.
target_branch
)
allowed
=
::
Gitlab
::
GitAccess
.
new
(
current_user
,
user_project
).
can_push_to_branch?
(
merge_request
.
target_branch
)
if
allowed
if
merge_request
.
unchecked?
...
...
lib/gitlab/backend/grack_auth.rb
浏览文件 @
4830b2be
...
...
@@ -112,7 +112,7 @@ module Grack
case
git_cmd
when
*
Gitlab
::
GitAccess
::
DOWNLOAD_COMMANDS
if
user
Gitlab
::
GitAccess
.
new
.
download_access_check
(
user
,
project
)
.
allowed?
Gitlab
::
GitAccess
.
new
(
user
,
project
).
download_access_check
.
allowed?
elsif
project
.
public?
# Allow clone/fetch for public projects
true
...
...
lib/gitlab/git_access.rb
浏览文件 @
4830b2be
...
...
@@ -3,9 +3,32 @@ module Gitlab
DOWNLOAD_COMMANDS
=
%w{ git-upload-pack git-upload-archive }
PUSH_COMMANDS
=
%w{ git-receive-pack }
attr_reader
:
params
,
:project
,
:git_cmd
,
:user
attr_reader
:
actor
,
:project
def
self
.
can_push_to_branch?
(
user
,
project
,
ref
)
def
initialize
(
actor
,
project
)
@actor
=
actor
@project
=
project
end
def
user
return
@user
if
defined?
(
@user
)
@user
=
case
actor
when
User
actor
when
DeployKey
nil
when
Key
actor
.
user
end
end
def
deploy_key
actor
if
actor
.
is_a?
(
DeployKey
)
end
def
can_push_to_branch?
(
ref
)
return
false
unless
user
if
project
.
protected_branch?
(
ref
)
&&
...
...
@@ -16,51 +39,65 @@ module Gitlab
end
end
def
check
(
actor
,
cmd
,
project
,
changes
=
nil
)
def
can_read_project?
if
user
user
.
can?
(
:read_project
,
project
)
elsif
deploy_key
deploy_key
.
projects
.
include?
(
project
)
else
false
end
end
def
check
(
cmd
,
changes
=
nil
)
case
cmd
when
*
DOWNLOAD_COMMANDS
download_access_check
(
actor
,
project
)
download_access_check
when
*
PUSH_COMMANDS
if
actor
.
is_a?
User
push_access_check
(
actor
,
project
,
changes
)
elsif
actor
.
is_a?
DeployKey
return
build_status_object
(
false
,
"Deploy key not allowed to push"
)
elsif
actor
.
is_a?
Key
push_access_check
(
actor
.
user
,
project
,
changes
)
else
raise
'Wrong actor'
end
push_access_check
(
changes
)
else
return
build_status_object
(
false
,
"Wrong command"
)
build_status_object
(
false
,
"Wrong command"
)
end
end
def
download_access_check
(
actor
,
project
)
if
actor
.
is_a?
(
User
)
user_download_access_check
(
actor
,
project
)
elsif
actor
.
is_a?
(
DeployKey
)
if
actor
.
projects
.
include?
(
project
)
build_status_object
(
true
)
else
build_status_object
(
false
,
"Deploy key not allowed to access this project"
)
end
elsif
actor
.
is_a?
Key
user_download_access_check
(
actor
.
user
,
project
)
def
download_access_check
if
user
user_download_access_check
elsif
deploy_key
deploy_key_download_access_check
else
raise
'Wrong actor'
end
end
def
user_download_access_check
(
user
,
project
)
if
user
&&
user_allowed?
(
user
)
&&
user
.
can?
(
:download_code
,
project
)
def
push_access_check
(
changes
)
if
user
user_push_access_check
(
changes
)
elsif
deploy_key
build_status_object
(
false
,
"Deploy key not allowed to push"
)
else
raise
'Wrong actor'
end
end
def
user_download_access_check
if
user
&&
user_allowed?
&&
user
.
can?
(
:download_code
,
project
)
build_status_object
(
true
)
else
build_status_object
(
false
,
"You don't have access"
)
end
end
def
push_access_check
(
user
,
project
,
changes
)
unless
user
&&
user_allowed?
(
user
)
def
deploy_key_download_access_check
if
can_read_project?
build_status_object
(
true
)
else
build_status_object
(
false
,
"Deploy key not allowed to access this project"
)
end
end
def
user_push_access_check
(
changes
)
unless
user
&&
user_allowed?
return
build_status_object
(
false
,
"You don't have access"
)
end
...
...
@@ -76,27 +113,28 @@ module Gitlab
# Iterate over all changes to find if user allowed all of them to be applied
changes
.
map
(
&
:strip
).
reject
(
&
:blank?
).
each
do
|
change
|
status
=
change_access_check
(
user
,
project
,
change
)
status
=
change_access_check
(
change
)
unless
status
.
allowed?
# If user does not have access to make at least one change - cancel all push
return
status
end
end
return
build_status_object
(
true
)
build_status_object
(
true
)
end
def
change_access_check
(
user
,
project
,
change
)
def
change_access_check
(
change
)
oldrev
,
newrev
,
ref
=
change
.
split
(
' '
)
action
=
if
project
.
protected_branch?
(
branch_name
(
ref
))
protected_branch_action
(
project
,
oldrev
,
newrev
,
branch_name
(
ref
))
elsif
protected_tag?
(
project
,
tag_name
(
ref
))
# Prevent any changes to existing git tag unless user has permissions
:admin_project
else
:push_code
end
action
=
if
project
.
protected_branch?
(
branch_name
(
ref
))
protected_branch_action
(
oldrev
,
newrev
,
branch_name
(
ref
))
elsif
protected_tag?
(
tag_name
(
ref
))
# Prevent any changes to existing git tag unless user has permissions
:admin_project
else
:push_code
end
if
user
.
can?
(
action
,
project
)
build_status_object
(
true
)
...
...
@@ -105,15 +143,15 @@ module Gitlab
end
end
def
forced_push?
(
project
,
oldrev
,
newrev
)
def
forced_push?
(
oldrev
,
newrev
)
Gitlab
::
ForcePushCheck
.
force_push?
(
project
,
oldrev
,
newrev
)
end
private
def
protected_branch_action
(
project
,
oldrev
,
newrev
,
branch_name
)
def
protected_branch_action
(
oldrev
,
newrev
,
branch_name
)
# we dont allow force push to protected branch
if
forced_push?
(
project
,
oldrev
,
newrev
)
if
forced_push?
(
oldrev
,
newrev
)
:force_push_code_to_protected_branches
elsif
Gitlab
::
Git
.
blank_ref?
(
newrev
)
# and we dont allow remove of protected branch
...
...
@@ -125,11 +163,11 @@ module Gitlab
end
end
def
protected_tag?
(
project
,
tag_name
)
def
protected_tag?
(
tag_name
)
project
.
repository
.
tag_names
.
include?
(
tag_name
)
end
def
user_allowed?
(
user
)
def
user_allowed?
Gitlab
::
UserAccess
.
allowed?
(
user
)
end
...
...
lib/gitlab/git_access_wiki.rb
浏览文件 @
4830b2be
module
Gitlab
class
GitAccessWiki
<
GitAccess
def
change_access_check
(
user
,
project
,
change
)
def
change_access_check
(
change
)
if
user
.
can?
(
:write_wiki
,
project
)
build_status_object
(
true
)
else
...
...
spec/lib/gitlab/git_access_spec.rb
浏览文件 @
4830b2be
require
'spec_helper'
describe
Gitlab
::
GitAccess
do
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
}
let
(
:access
)
{
Gitlab
::
GitAccess
.
new
(
actor
,
project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:actor
)
{
user
}
describe
'can_push_to_branch?'
do
describe
'push to none protected branch'
do
it
"returns true if user is a master"
do
project
.
team
<<
[
user
,
:master
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
"random_branch"
)).
to
be_truthy
expect
(
access
.
can_push_to_branch?
(
"random_branch"
)).
to
be_truthy
end
it
"returns true if user is a developer"
do
project
.
team
<<
[
user
,
:developer
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
"random_branch"
)).
to
be_truthy
expect
(
access
.
can_push_to_branch?
(
"random_branch"
)).
to
be_truthy
end
it
"returns false if user is a reporter"
do
project
.
team
<<
[
user
,
:reporter
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
"random_branch"
)).
to
be_falsey
expect
(
access
.
can_push_to_branch?
(
"random_branch"
)).
to
be_falsey
end
end
...
...
@@ -30,17 +31,17 @@ describe Gitlab::GitAccess do
it
"returns true if user is a master"
do
project
.
team
<<
[
user
,
:master
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_truthy
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_truthy
end
it
"returns false if user is a developer"
do
project
.
team
<<
[
user
,
:developer
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_falsey
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_falsey
end
it
"returns false if user is a reporter"
do
project
.
team
<<
[
user
,
:reporter
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_falsey
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_falsey
end
end
...
...
@@ -51,17 +52,17 @@ describe Gitlab::GitAccess do
it
"returns true if user is a master"
do
project
.
team
<<
[
user
,
:master
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_truthy
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_truthy
end
it
"returns true if user is a developer"
do
project
.
team
<<
[
user
,
:developer
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_truthy
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_truthy
end
it
"returns false if user is a reporter"
do
project
.
team
<<
[
user
,
:reporter
]
expect
(
Gitlab
::
GitAccess
.
can_push_to_branch?
(
user
,
project
,
@branch
.
name
)).
to
be_falsey
expect
(
access
.
can_push_to_branch?
(
@branch
.
name
)).
to
be_falsey
end
end
...
...
@@ -72,7 +73,7 @@ describe Gitlab::GitAccess do
before
{
project
.
team
<<
[
user
,
:master
]
}
context
'pull code'
do
subject
{
access
.
download_access_check
(
user
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_truthy
}
end
...
...
@@ -82,7 +83,7 @@ describe Gitlab::GitAccess do
before
{
project
.
team
<<
[
user
,
:guest
]
}
context
'pull code'
do
subject
{
access
.
download_access_check
(
user
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_falsey
}
end
...
...
@@ -95,7 +96,7 @@ describe Gitlab::GitAccess do
end
context
'pull code'
do
subject
{
access
.
download_access_check
(
user
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_falsey
}
end
...
...
@@ -103,7 +104,7 @@ describe Gitlab::GitAccess do
describe
'without acccess to project'
do
context
'pull code'
do
subject
{
access
.
download_access_check
(
user
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_falsey
}
end
...
...
@@ -111,17 +112,18 @@ describe Gitlab::GitAccess do
describe
'deploy key permissions'
do
let
(
:key
)
{
create
(
:deploy_key
)
}
let
(
:actor
)
{
key
}
context
'pull code'
do
context
'allowed'
do
before
{
key
.
projects
<<
project
}
subject
{
access
.
download_access_check
(
key
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_truthy
}
end
context
'denied'
do
subject
{
access
.
download_access_check
(
key
,
project
)
}
subject
{
access
.
download_access_check
}
it
{
expect
(
subject
.
allowed?
).
to
be_falsey
}
end
...
...
@@ -205,7 +207,7 @@ describe Gitlab::GitAccess do
permissions_matrix
[
role
].
each
do
|
action
,
allowed
|
context
action
do
subject
{
access
.
push_access_check
(
user
,
project
,
changes
[
action
])
}
subject
{
access
.
push_access_check
(
changes
[
action
])
}
it
{
expect
(
subject
.
allowed?
).
to
allowed
?
be_truthy
:
be_falsey
}
end
...
...
@@ -221,7 +223,7 @@ describe Gitlab::GitAccess do
updated_permissions_matrix
[
role
].
each
do
|
action
,
allowed
|
context
action
do
subject
{
access
.
push_access_check
(
user
,
project
,
changes
[
action
])
}
subject
{
access
.
push_access_check
(
changes
[
action
])
}
it
{
expect
(
subject
.
allowed?
).
to
allowed
?
be_truthy
:
be_falsey
}
end
...
...
spec/lib/gitlab/git_access_wiki_spec.rb
浏览文件 @
4830b2be
require
'spec_helper'
describe
Gitlab
::
GitAccessWiki
do
let
(
:access
)
{
Gitlab
::
GitAccessWiki
.
new
}
let
(
:access
)
{
Gitlab
::
GitAccessWiki
.
new
(
user
,
project
)
}
let
(
:project
)
{
create
(
:project
)
}
let
(
:user
)
{
create
(
:user
)
}
...
...
@@ -11,7 +11,7 @@ describe Gitlab::GitAccessWiki do
project
.
team
<<
[
user
,
:developer
]
end
subject
{
access
.
push_access_check
(
user
,
project
,
changes
)
}
subject
{
access
.
push_access_check
(
changes
)
}
it
{
expect
(
subject
.
allowed?
).
to
be_truthy
}
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录