1# frozen_string_literal: true 2 3module ProtectedRef 4 extend ActiveSupport::Concern 5 6 included do 7 belongs_to :project, touch: true 8 9 validates :name, presence: true 10 validates :project, presence: true 11 12 delegate :matching, :matches?, :wildcard?, to: :ref_matcher 13 14 scope :for_project, ->(project) { where(project: project) } 15 16 def allow_multiple?(type) 17 false 18 end 19 end 20 21 def commit 22 project.commit(self.name) 23 end 24 25 class_methods do 26 def protected_ref_access_levels(*types) 27 types.each do |type| 28 # We need to set `inverse_of` to make sure the `belongs_to`-object is set 29 # when creating children using `accepts_nested_attributes_for`. 30 # 31 # If we don't `protected_branch` or `protected_tag` would be empty and 32 # `project` cannot be delegated to it, which in turn would cause validations 33 # to fail. 34 has_many :"#{type}_access_levels", inverse_of: self.model_name.singular 35 36 validates :"#{type}_access_levels", length: { is: 1, message: "are restricted to a single instance per #{self.model_name.human}." }, unless: -> { allow_multiple?(type) } 37 38 accepts_nested_attributes_for :"#{type}_access_levels", allow_destroy: true 39 end 40 end 41 42 def protected_ref_accessible_to?(ref, user, project:, action:, protected_refs: nil) 43 access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level| 44 access_level.check_access(user) 45 end 46 end 47 48 def developers_can?(action, ref, protected_refs: nil) 49 access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level| 50 access_level.access_level == Gitlab::Access::DEVELOPER 51 end 52 end 53 54 def access_levels_for_ref(ref, action:, protected_refs: nil) 55 self.matching(ref, protected_refs: protected_refs) 56 .flat_map(&:"#{action}_access_levels") 57 end 58 59 # Returns all protected refs that match the given ref name. 60 # This checks all records from the scope built up so far, and does 61 # _not_ return a relation. 62 # 63 # This method optionally takes in a list of `protected_refs` to search 64 # through, to avoid calling out to the database. 65 def matching(ref_name, protected_refs: nil) 66 (protected_refs || self.all).select { |protected_ref| protected_ref.matches?(ref_name) } 67 end 68 end 69 70 private 71 72 def ref_matcher 73 @ref_matcher ||= RefMatcher.new(self.name) 74 end 75end 76 77# Prepending a module into a concern doesn't work very well for class methods, 78# since these are defined in a ClassMethods constant. As such, we prepend the 79# module directly into ProtectedRef::ClassMethods, instead of prepending it into 80# ProtectedRef. 81ProtectedRef::ClassMethods.prepend_mod_with('ProtectedRef') 82