From 182aa19e26cbc77b3cc7f10f0c228ea4aa2d7c77 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Wed, 20 Nov 2013 11:06:19 +0200
Subject: [PATCH] Parse all refs when do push via HTTP and check permissions for all of them

---
 lib/gitlab/backend/grack_auth.rb | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index e09cf31..39ffb5f 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -82,13 +82,17 @@ module Grack
       when 'git-upload-pack'
         project.public || can?(user, :download_code, project)
       when'git-receive-pack'
-        action = if project.protected_branch?(ref)
-                   :push_code_to_protected_branches
-                 else
-                   :push_code
-                 end
+        refs.each do |ref|
+          action = if project.protected_branch?(ref)
+                     :push_code_to_protected_branches
+                   else
+                     :push_code
+                   end
+
+          return false unless can?(user, action, project)
+        end
 
-        can?(user, action, project)
+        true
       else
         false
       end
@@ -108,11 +112,11 @@ module Grack
       @project ||= project_by_path(@request.path_info)
     end
 
-    def ref
-      @ref ||= parse_ref
+    def refs
+      @refs ||= parse_refs
     end
 
-    def parse_ref
+    def parse_refs
       input = if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
                 Zlib::GzipReader.new(@request.body).read
               else
@@ -121,7 +125,7 @@ module Grack
 
       # Need to reset seek point
       @request.body.rewind
-      /refs\/heads\/([\/\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last
+      input.force_encoding('ascii-8bit').scan(/refs\/heads\/([\/\w\.-]+)/n).flatten.compact
     end
   end
 end
--
libgit2 0.21.2