Commit ac777911fd9773d1cfdb98ae008be33154377d94
Exists in
spb-stable
and in
2 other branches
Merge branch 'tags-protection' into 'master'
Git tags protection Only masters can remove or modify git tags. Fixes #1223
Showing
4 changed files
with
6 additions
and
1 deletions
Show diff stats
CHANGELOG
| @@ -12,6 +12,7 @@ v 7.0.0 | @@ -12,6 +12,7 @@ v 7.0.0 | ||
| 12 | - Make it easier to implement other CI services for GitLab | 12 | - Make it easier to implement other CI services for GitLab |
| 13 | - Group masters can create projects in group | 13 | - Group masters can create projects in group |
| 14 | - Deprecate ruby 1.9.3 support | 14 | - Deprecate ruby 1.9.3 support |
| 15 | + - Only masters can rewrite/remove git tags | ||
| 15 | 16 | ||
| 16 | v 6.9.2 | 17 | v 6.9.2 |
| 17 | - Revert the commit that broke the LDAP user filter | 18 | - Revert the commit that broke the LDAP user filter |
app/views/projects/tags/_tag.html.haml
| @@ -17,6 +17,6 @@ | @@ -17,6 +17,6 @@ | ||
| 17 | - if can? current_user, :download_code, @project | 17 | - if can? current_user, :download_code, @project |
| 18 | = render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small' | 18 | = render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small' |
| 19 | - if can?(current_user, :admin_project, @project) | 19 | - if can?(current_user, :admin_project, @project) |
| 20 | - = link_to project_tag_path(@project, tag.name), class: 'btn btn-small remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do | 20 | + = link_to project_tag_path(@project, tag.name), class: 'btn btn-small btn-remove remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do |
| 21 | %i.icon-trash | 21 | %i.icon-trash |
| 22 | 22 |
doc/permissions/permissions.md
| @@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions. | @@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions. | ||
| 27 | |Add new team members| |||✓|✓| | 27 | |Add new team members| |||✓|✓| |
| 28 | |Push to protected branches| |||✓|✓| | 28 | |Push to protected branches| |||✓|✓| |
| 29 | |Enable/Disable branch protection| |||✓|✓| | 29 | |Enable/Disable branch protection| |||✓|✓| |
| 30 | +|Rewrite/remove git tags| |||✓|✓| | ||
| 30 | |Edit project| |||✓|✓| | 31 | |Edit project| |||✓|✓| |
| 31 | |Add Deploy Keys to project| |||✓|✓| | 32 | |Add Deploy Keys to project| |||✓|✓| |
| 32 | |Configure Project Hooks| |||✓|✓| | 33 | |Configure Project Hooks| |||✓|✓| |
lib/gitlab/git_access.rb
| @@ -53,6 +53,9 @@ module Gitlab | @@ -53,6 +53,9 @@ module Gitlab | ||
| 53 | else | 53 | else |
| 54 | :push_code_to_protected_branches | 54 | :push_code_to_protected_branches |
| 55 | end | 55 | end |
| 56 | + elsif project.repository && project.repository.tag_names.include?(ref) | ||
| 57 | + # Prevent any changes to existing git tag unless user has permissions | ||
| 58 | + :admin_project | ||
| 56 | else | 59 | else |
| 57 | :push_code | 60 | :push_code |
| 58 | end | 61 | end |