user_access.rb 2.87 KB
Newer Older
1 2
# frozen_string_literal: true

3
module Gitlab
4
  class UserAccess
5
    extend Gitlab::Cache::RequestCache
6

7
    request_cache_key do
8 9 10
      [user&.id, project&.id]
    end

11 12
    attr_reader :user
    attr_accessor :project
13 14 15 16 17 18 19

    def initialize(user, project: nil)
      @user = user
      @project = project
    end

    def can_do_action?(action)
20
      return false unless can_access_git?
21

22 23 24 25
      permission_cache[action] =
        permission_cache.fetch(action) do
          user.can?(action, project)
        end
26 27 28 29 30 31 32
    end

    def cannot_do_action?(action)
      !can_do_action?(action)
    end

    def allowed?
33
      return false unless can_access_git?
34

Jacob Vosmaer's avatar
Jacob Vosmaer committed
35
      if user.requires_ldap_check? && user.try_obtain_ldap_lease
36
        return false unless Gitlab::Auth::LDAP::Access.allowed?(user)
37 38 39 40
      end

      true
    end
41

42
    request_cache def can_create_tag?(ref)
43 44
      return false unless can_access_git?

45 46
      if protected?(ProtectedTag, project, ref)
        protected_tag_accessible_to?(ref, action: :create)
47 48 49 50 51
      else
        user.can?(:push_code, project)
      end
    end

52
    request_cache def can_delete_branch?(ref)
53 54
      return false unless can_access_git?

55
      if protected?(ProtectedBranch, project, ref)
56
        user.can?(:push_to_delete_protected_branch, project)
57 58 59 60 61
      else
        user.can?(:push_code, project)
      end
    end

62
    def can_update_branch?(ref)
63 64 65
      can_push_to_branch?(ref) || can_merge_to_branch?(ref)
    end

66
    request_cache def can_push_to_branch?(ref)
67
      return false unless can_access_git?
68 69
      return false unless project

70
      return false if !user.can?(:push_code, project) && !project.branch_allows_collaboration?(user, ref)
71

72
      if protected?(ProtectedBranch, project, ref)
73
        protected_branch_accessible_to?(ref, action: :push)
74
      else
75
        true
76 77 78
      end
    end

79
    request_cache def can_merge_to_branch?(ref)
80
      return false unless can_access_git?
81

82 83
      if protected?(ProtectedBranch, project, ref)
        protected_branch_accessible_to?(ref, action: :merge)
84 85 86 87 88 89
      else
        user.can?(:push_code, project)
      end
    end

    def can_read_project?
90
      return false unless can_access_git?
91 92 93

      user.can?(:read_project, project)
    end
94 95 96

    private

97 98 99 100
    def permission_cache
      @permission_cache ||= {}
    end

101 102
    def can_access_git?
      user && user.can?(:access_git)
103
    end
104 105 106

    def protected_branch_accessible_to?(ref, action:)
      ProtectedBranch.protected_ref_accessible_to?(
107
        ref, user,
108
        project: project,
109
        action: action,
110 111 112 113 114
        protected_refs: project.protected_branches)
    end

    def protected_tag_accessible_to?(ref, action:)
      ProtectedTag.protected_ref_accessible_to?(
115
        ref, user,
116
        project: project,
117
        action: action,
118 119 120
        protected_refs: project.protected_tags)
    end

121 122
    request_cache def protected?(kind, project, refs)
      kind.protected?(project, refs)
123
    end
124 125
  end
end