Commit 2a4fe8d8 authored by Douwe Maan's avatar Douwe Maan Committed by GitLab Release Tools Bot

Merge branch '59289-fix-push-to-create-protected-branches' into 'master'

Allow users to create protected branches via CLI

Closes #59289

See merge request gitlab-org/gitlab-ce!26413

(cherry picked from commit b36fc6d5)

438485ef Allow users to create protected branches via CLI
parent b223a103
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
%p %p
By default, protected branches are designed to: By default, protected branches are designed to:
%ul %ul
%li prevent their creation, if not already created, from everybody except users who are allowed to merge %li prevent their creation, if not already created, from everybody except Maintainers
%li prevent pushes from everybody except Maintainers %li prevent pushes from everybody except Maintainers
%li prevent <strong>anyone</strong> from force pushing to the branch %li prevent <strong>anyone</strong> from force pushing to the branch
%li prevent <strong>anyone</strong> from deleting the branch %li prevent <strong>anyone</strong> from deleting the branch
......
---
title: Allow users who can push to protected branches to create protected branches
via CLI
merge_request: 26413
author:
type: fixed
...@@ -10,7 +10,7 @@ created protected branches. ...@@ -10,7 +10,7 @@ created protected branches.
By default, a protected branch does four simple things: By default, a protected branch does four simple things:
- it prevents its creation, if not already created, from everybody except users - it prevents its creation, if not already created, from everybody except users
who are allowed to merge with Maintainer permission
- it prevents pushes from everybody except users with Maintainer permission - it prevents pushes from everybody except users with Maintainer permission
- it prevents **anyone** from force pushing to the branch - it prevents **anyone** from force pushing to the branch
- it prevents **anyone** from deleting the branch - it prevents **anyone** from deleting the branch
......
...@@ -59,6 +59,8 @@ module Gitlab ...@@ -59,6 +59,8 @@ module Gitlab
def protected_branch_creation_checks def protected_branch_creation_checks
logger.log_timed(LOG_MESSAGES[:protected_branch_creation_checks]) do logger.log_timed(LOG_MESSAGES[:protected_branch_creation_checks]) do
break if user_access.can_push_to_branch?(branch_name)
unless user_access.can_merge_to_branch?(branch_name) unless user_access.can_merge_to_branch?(branch_name)
raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_branch] raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_branch]
end end
......
...@@ -108,64 +108,86 @@ describe Gitlab::Checks::BranchCheck do ...@@ -108,64 +108,86 @@ describe Gitlab::Checks::BranchCheck do
end end
context 'protected branch creation feature is enabled' do context 'protected branch creation feature is enabled' do
context 'user is not allowed to create protected branches' do context 'user can push to branch' do
before do before do
allow(user_access) allow(user_access)
.to receive(:can_merge_to_branch?) .to receive(:can_push_to_branch?)
.with('feature') .with('feature')
.and_return(false) .and_return(true)
end end
it 'raises an error' do it 'does not raise an error' do
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to create protected branches on this project.') expect { subject.validate! }.not_to raise_error
end end
end end
context 'user is allowed to create protected branches' do context 'user cannot push to branch' do
before do before do
allow(user_access) allow(user_access)
.to receive(:can_merge_to_branch?) .to receive(:can_push_to_branch?)
.with('feature') .with('feature')
.and_return(true) .and_return(false)
allow(project.repository)
.to receive(:branch_names_contains_sha)
.with(newrev)
.and_return(['branch'])
end end
context "newrev isn't in any protected branches" do context 'user cannot merge to branch' do
before do before do
allow(ProtectedBranch) allow(user_access)
.to receive(:any_protected?) .to receive(:can_merge_to_branch?)
.with(project, ['branch']) .with('feature')
.and_return(false) .and_return(false)
end end
it 'raises an error' do it 'raises an error' do
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only use an existing protected branch ref as the basis of a new protected branch.') expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to create protected branches on this project.')
end end
end end
context 'newrev is included in a protected branch' do context 'user can merge to branch' do
before do before do
allow(ProtectedBranch) allow(user_access)
.to receive(:any_protected?) .to receive(:can_merge_to_branch?)
.with(project, ['branch']) .with('feature')
.and_return(true) .and_return(true)
allow(project.repository)
.to receive(:branch_names_contains_sha)
.with(newrev)
.and_return(['branch'])
end end
context 'via web interface' do context "newrev isn't in any protected branches" do
let(:protocol) { 'web' } before do
allow(ProtectedBranch)
.to receive(:any_protected?)
.with(project, ['branch'])
.and_return(false)
end
it 'allows branch creation' do it 'raises an error' do
expect { subject.validate! }.not_to raise_error expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only use an existing protected branch ref as the basis of a new protected branch.')
end end
end end
context 'via SSH' do context 'newrev is included in a protected branch' do
it 'raises an error' do before do
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only create protected branches using the web interface and API.') allow(ProtectedBranch)
.to receive(:any_protected?)
.with(project, ['branch'])
.and_return(true)
end
context 'via web interface' do
let(:protocol) { 'web' }
it 'allows branch creation' do
expect { subject.validate! }.not_to raise_error
end
end
context 'via SSH' do
it 'raises an error' do
expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only create protected branches using the web interface and API.')
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment