Commit 6d841eaa authored by Timothy Andrew's avatar Timothy Andrew

Authorize user before creating/updating a protected branch.

1. This is a third line of defence (first in the view, second in the
   controller).

2. Duplicate the `API::Helpers.to_boolean` method in `BaseService`. The
   other alternative is to `include API::Helpers`, but this brings with it
   a number of other methods that might cause conflicts.

3. Return a 403 if authorization fails.
parent 01d190a8
module ProtectedBranches module ProtectedBranches
class BaseService < ::BaseService class BaseService < ::BaseService
include API::Helpers
def initialize(project, current_user, params = {}) def initialize(project, current_user, params = {})
super(project, current_user, params) super(project, current_user, params)
@allowed_to_push = params[:allowed_to_push] @allowed_to_push = params[:allowed_to_push]
...@@ -14,7 +12,7 @@ def set_access_levels! ...@@ -14,7 +12,7 @@ def set_access_levels!
set_push_access_levels! set_push_access_levels!
end end
protected private
def set_merge_access_levels! def set_merge_access_levels!
case @allowed_to_merge case @allowed_to_merge
...@@ -56,5 +54,14 @@ def translate_api_params! ...@@ -56,5 +54,14 @@ def translate_api_params!
'masters' 'masters'
end end
end end
protected
def to_boolean(value)
return true if value =~ /^(true|t|yes|y|1|on)$/i
return false if value =~ /^(false|f|no|n|0|off)$/i
nil
end
end end
end end
...@@ -3,6 +3,8 @@ class CreateService < ProtectedBranches::BaseService ...@@ -3,6 +3,8 @@ class CreateService < ProtectedBranches::BaseService
attr_reader :protected_branch attr_reader :protected_branch
def execute def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do ProtectedBranch.transaction do
@protected_branch = project.protected_branches.new(name: params[:name]) @protected_branch = project.protected_branches.new(name: params[:name])
@protected_branch.save! @protected_branch.save!
......
...@@ -4,12 +4,13 @@ class UpdateService < ProtectedBranches::BaseService ...@@ -4,12 +4,13 @@ class UpdateService < ProtectedBranches::BaseService
def initialize(project, current_user, id, params = {}) def initialize(project, current_user, id, params = {})
super(project, current_user, params) super(project, current_user, params)
@id = id @protected_branch = ProtectedBranch.find(id)
end end
def execute def execute
raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
ProtectedBranch.transaction do ProtectedBranch.transaction do
@protected_branch = ProtectedBranch.find(@id)
set_access_levels! set_access_levels!
end end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment