Commit 207f34b890b58c09281850a37477948ec75e0ef4
Exists in
spb-stable
and in
3 other branches
Merge pull request #6190 from Popl7/add-better-branch-protection-against-history…
…-rewrite-and-deletion protect protected branched to force updates
Showing
2 changed files
with
16 additions
and
9 deletions
Show diff stats
lib/api/internal.rb
| @@ -10,6 +10,7 @@ module API | @@ -10,6 +10,7 @@ module API | ||
| 10 | # project - project path with namespace | 10 | # project - project path with namespace |
| 11 | # action - git action (git-upload-pack or git-receive-pack) | 11 | # action - git action (git-upload-pack or git-receive-pack) |
| 12 | # ref - branch name | 12 | # ref - branch name |
| 13 | + # forced_push - forced_push | ||
| 13 | # | 14 | # |
| 14 | get "/allowed" do | 15 | get "/allowed" do |
| 15 | # Check for *.wiki repositories. | 16 | # Check for *.wiki repositories. |
| @@ -35,7 +36,8 @@ module API | @@ -35,7 +36,8 @@ module API | ||
| 35 | project, | 36 | project, |
| 36 | params[:ref], | 37 | params[:ref], |
| 37 | params[:oldrev], | 38 | params[:oldrev], |
| 38 | - params[:newrev] | 39 | + params[:newrev], |
| 40 | + params[:forced_push] | ||
| 39 | ) | 41 | ) |
| 40 | end | 42 | end |
| 41 | 43 |
lib/gitlab/git_access.rb
| @@ -5,7 +5,7 @@ module Gitlab | @@ -5,7 +5,7 @@ module Gitlab | ||
| 5 | 5 | ||
| 6 | attr_reader :params, :project, :git_cmd, :user | 6 | attr_reader :params, :project, :git_cmd, :user |
| 7 | 7 | ||
| 8 | - def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil) | 8 | + def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil, forced_push = false) |
| 9 | case cmd | 9 | case cmd |
| 10 | when *DOWNLOAD_COMMANDS | 10 | when *DOWNLOAD_COMMANDS |
| 11 | if actor.is_a? User | 11 | if actor.is_a? User |
| @@ -19,12 +19,12 @@ module Gitlab | @@ -19,12 +19,12 @@ module Gitlab | ||
| 19 | end | 19 | end |
| 20 | when *PUSH_COMMANDS | 20 | when *PUSH_COMMANDS |
| 21 | if actor.is_a? User | 21 | if actor.is_a? User |
| 22 | - push_allowed?(actor, project, ref, oldrev, newrev) | 22 | + push_allowed?(actor, project, ref, oldrev, newrev, forced_push) |
| 23 | elsif actor.is_a? DeployKey | 23 | elsif actor.is_a? DeployKey |
| 24 | # Deploy key not allowed to push | 24 | # Deploy key not allowed to push |
| 25 | return false | 25 | return false |
| 26 | elsif actor.is_a? Key | 26 | elsif actor.is_a? Key |
| 27 | - push_allowed?(actor.user, project, ref, oldrev, newrev) | 27 | + push_allowed?(actor.user, project, ref, oldrev, newrev, forced_push) |
| 28 | else | 28 | else |
| 29 | raise 'Wrong actor' | 29 | raise 'Wrong actor' |
| 30 | end | 30 | end |
| @@ -41,13 +41,18 @@ module Gitlab | @@ -41,13 +41,18 @@ module Gitlab | ||
| 41 | end | 41 | end |
| 42 | end | 42 | end |
| 43 | 43 | ||
| 44 | - def push_allowed?(user, project, ref, oldrev, newrev) | 44 | + def push_allowed?(user, project, ref, oldrev, newrev, forced_push) |
| 45 | if user && user_allowed?(user) | 45 | if user && user_allowed?(user) |
| 46 | + | ||
| 46 | action = if project.protected_branch?(ref) | 47 | action = if project.protected_branch?(ref) |
| 47 | - :push_code_to_protected_branches | ||
| 48 | - else | ||
| 49 | - :push_code | ||
| 50 | - end | 48 | + if forced_push |
| 49 | + :force_push_code_to_protected_branches | ||
| 50 | + else | ||
| 51 | + :push_code_to_protected_branches | ||
| 52 | + end | ||
| 53 | + else | ||
| 54 | + :push_code | ||
| 55 | + end | ||
| 51 | user.can?(action, project) | 56 | user.can?(action, project) |
| 52 | else | 57 | else |
| 53 | false | 58 | false |