Dont allow git tag rewrite/removal unless you are master

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Dont allow git tag rewrite/removal unless you are master
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Dmitriy Zaporozhets
1 parent 7ba18536
Showing 4 changed files with 6 additions and 1 deletions Show diff stats
CHANGELOG
app/views/projects/tags/_tag.html.haml
doc/permissions/permissions.md
lib/gitlab/git_access.rb
@@ -12,6 +12,7 @@ v 7.0.0
   - Make it easier to implement other CI services for GitLab
   - Group masters can create projects in group
   - Deprecate ruby 1.9.3 support
+  - Only masters can rewrite/remove git tags
  
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
@@ -17,6 +17,6 @@
       - if can? current_user, :download_code, @project
         = render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small'
       - if can?(current_user, :admin_project, @project)
-        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
+        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small btn-remove remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
           %i.icon-trash
  
@@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions.
 |Add new team members| |||✓|✓|
 |Push to protected branches| |||✓|✓|
 |Enable/Disable branch protection| |||✓|✓|
+|Rewrite/remove git tags| |||✓|✓|
 |Edit project| |||✓|✓|
 |Add Deploy Keys to project| |||✓|✓|
 |Configure Project Hooks| |||✓|✓|
@@ -53,6 +53,9 @@ module Gitlab
                    else
                      :push_code_to_protected_branches
                    end
+                 elsif project.repository && project.repository.tag_names.include?(ref)
+                   # Prevent any changes to existing git tag unless user has permissions
+                   :admin_project
                  else
                    :push_code
                  end
...	...	@@ -12,6 +12,7 @@ v 7.0.0
12	12	- Make it easier to implement other CI services for GitLab
13	13	- Group masters can create projects in group
14	14	- Deprecate ruby 1.9.3 support
	15	+ - Only masters can rewrite/remove git tags
15	16
16	17	v 6.9.2
17	18	- Revert the commit that broke the LDAP user filter
...	...
...	...	@@ -17,6 +17,6 @@
17	17	- if can? current_user, :download_code, @project
18	18	= render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small'
19	19	- if can?(current_user, :admin_project, @project)
20		- = link_to project_tag_path(@project, tag.name), class: 'btn btn-small remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
	20	+ = link_to project_tag_path(@project, tag.name), class: 'btn btn-small btn-remove remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
21	21	%i.icon-trash
22	22
...	...
...	...	@@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions.
27	27	\|Add new team members\| \|\|\|✓\|✓\|
28	28	\|Push to protected branches\| \|\|\|✓\|✓\|
29	29	\|Enable/Disable branch protection\| \|\|\|✓\|✓\|
	30	+\|Rewrite/remove git tags\| \|\|\|✓\|✓\|
30	31	\|Edit project\| \|\|\|✓\|✓\|
31	32	\|Add Deploy Keys to project\| \|\|\|✓\|✓\|
32	33	\|Configure Project Hooks\| \|\|\|✓\|✓\|
...	...
...	...	@@ -53,6 +53,9 @@ module Gitlab
53	53	else
54	54	:push_code_to_protected_branches
55	55	end
	56	+ elsif project.repository && project.repository.tag_names.include?(ref)
	57	+ # Prevent any changes to existing git tag unless user has permissions
	58	+ :admin_project
56	59	else
57	60	:push_code
58	61	end
...	...