1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# frozen_string_literal: true
module ProtectedRefAccess
include Importable
extend ActiveSupport::Concern
class_methods do
def human_access_levels
{
Gitlab::Access::DEVELOPER => 'Developers + Maintainers',
Gitlab::Access::MAINTAINER => 'Maintainers',
Gitlab::Access::ADMIN => 'Instance admins',
Gitlab::Access::NO_ACCESS => 'No one'
}.slice(*allowed_access_levels)
end
def allowed_access_levels
levels = [
Gitlab::Access::DEVELOPER,
Gitlab::Access::MAINTAINER,
Gitlab::Access::ADMIN,
Gitlab::Access::NO_ACCESS
]
return levels unless Gitlab.com?
levels.excluding(Gitlab::Access::ADMIN)
end
def humanize(access_level)
human_access_levels[access_level]
end
def non_role_types
[]
end
end
included do
scope :maintainer, -> { where(access_level: Gitlab::Access::MAINTAINER) }
scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
# If there aren't any `non_role_types`, `all` will be returned. If any
# `non_role_types` are present we add them to the query i.e.
# => all.where("#{'user'}_id": nil).where("#{'group'}_id": nil)
scope :for_role, -> { non_role_types.inject(all) { |scope, type| scope.where("#{type}_id": nil) } }
protected_ref_fk = "#{module_parent.model_name.singular}_id"
validates :access_level,
presence: true,
inclusion: { in: allowed_access_levels },
uniqueness: { scope: protected_ref_fk, conditions: -> { for_role } },
if: :role?
end
def type
:role
end
def role?
type == :role
end
def humanize
# humanize_role
# humanize_user
# humanize_group
# humanize_deploy_key
send(:"humanize_#{type}") # rubocop:disable GitlabSecurity/PublicSend -- Intentional meta programming to direct to correct type
end
def check_access(current_user, current_project = protected_ref_project)
return false if current_user.nil? || no_access?
return current_user.admin? if admin_access?
# role_access_allowed?
# user_access_allowed?
# group_access_allowed?
# deploy_key_access_allowed?
send(:"#{type}_access_allowed?", current_user, current_project) # rubocop:disable GitlabSecurity/PublicSend -- Intentional meta programming to direct check to correct type
end
private
def humanize_role
self.class.humanize(access_level)
end
def admin_access?
role? && access_level == ::Gitlab::Access::ADMIN
end
def no_access?
role? && access_level == Gitlab::Access::NO_ACCESS
end
def role_access_allowed?(current_user, current_project)
# NOTE: A user could be a group member which would be inherited in
# projects, however, the same user can have direct membership to a
# project with a higher role. For this reason we need to check group-level
# rules against the current project when merging an MR or pushing changes
# to a protected branch.
if current_project
current_user.can?(:push_code, current_project) &&
current_project.team.max_member_access(current_user.id) >= access_level
elsif protected_branch_group
protected_branch_group.max_member_access_for_user(current_user) >= access_level
end
end
end
ProtectedRefAccess.include_mod_with('ProtectedRefAccess::Scopes')
ProtectedRefAccess.prepend_mod_with('ProtectedRefAccess')
# When using `prepend` (or `include` for that matter), the `ClassMethods`
# constants are not merged. This means that `class_methods` in
# `EE::ProtectedRefAccess` would be ignored.
#
# To work around this, we prepend the `ClassMethods` constant manually.
ProtectedRefAccess::ClassMethods.prepend_mod_with('ProtectedRefAccess::ClassMethods')
|
