Commit 207f34b890b58c09281850a37477948ec75e0ef4
Exists in
spb-stable
and in
3 other branches
Merge pull request #6190 from Popl7/add-better-branch-protection-against-history…
…-rewrite-and-deletion protect protected branched to force updates
Showing
2 changed files
with
16 additions
and
9 deletions
Show diff stats
lib/api/internal.rb
| ... | ... | @@ -10,6 +10,7 @@ module API |
| 10 | 10 | # project - project path with namespace |
| 11 | 11 | # action - git action (git-upload-pack or git-receive-pack) |
| 12 | 12 | # ref - branch name |
| 13 | + # forced_push - forced_push | |
| 13 | 14 | # |
| 14 | 15 | get "/allowed" do |
| 15 | 16 | # Check for *.wiki repositories. |
| ... | ... | @@ -35,7 +36,8 @@ module API |
| 35 | 36 | project, |
| 36 | 37 | params[:ref], |
| 37 | 38 | params[:oldrev], |
| 38 | - params[:newrev] | |
| 39 | + params[:newrev], | |
| 40 | + params[:forced_push] | |
| 39 | 41 | ) |
| 40 | 42 | end |
| 41 | 43 | ... | ... |
lib/gitlab/git_access.rb
| ... | ... | @@ -5,7 +5,7 @@ module Gitlab |
| 5 | 5 | |
| 6 | 6 | attr_reader :params, :project, :git_cmd, :user |
| 7 | 7 | |
| 8 | - def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil) | |
| 8 | + def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false) | |
| 9 | 9 | case cmd |
| 10 | 10 | when *DOWNLOAD_COMMANDS |
| 11 | 11 | if actor.is_a? User |
| ... | ... | @@ -19,12 +19,12 @@ module Gitlab |
| 19 | 19 | end |
| 20 | 20 | when *PUSH_COMMANDS |
| 21 | 21 | if actor.is_a? User |
| 22 | - push_allowed?(actor, project, ref, oldrev, newrev) | |
| 22 | + push_allowed?(actor, project, ref, oldrev, newrev, forced_push) | |
| 23 | 23 | elsif actor.is_a? DeployKey |
| 24 | 24 | # Deploy key not allowed to push |
| 25 | 25 | return false |
| 26 | 26 | elsif actor.is_a? Key |
| 27 | - push_allowed?(actor.user, project, ref, oldrev, newrev) | |
| 27 | + push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push) | |
| 28 | 28 | else |
| 29 | 29 | raise 'Wrong actor' |
| 30 | 30 | end |
| ... | ... | @@ -41,13 +41,18 @@ module Gitlab |
| 41 | 41 | end |
| 42 | 42 | end |
| 43 | 43 | |
| 44 | - def push_allowed?(user, project, ref, oldrev, newrev) | |
| 44 | + def push_allowed?(user, project, ref, oldrev, newrev, forced_push) | |
| 45 | 45 | if user && user_allowed?(user) |
| 46 | + | |
| 46 | 47 | action = if project.protected_branch?(ref) |
| 47 | - :push_code_to_protected_branches | |
| 48 | - else | |
| 49 | - :push_code | |
| 50 | - end | |
| 48 | + if forced_push | |
| 49 | + :force_push_code_to_protected_branches | |
| 50 | + else | |
| 51 | + :push_code_to_protected_branches | |
| 52 | + end | |
| 53 | + else | |
| 54 | + :push_code | |
| 55 | + end | |
| 51 | 56 | user.can?(action, project) |
| 52 | 57 | else |
| 53 | 58 | false | ... | ... |