1# frozen_string_literal: true
2
3module ProtectedRef
4  extend ActiveSupport::Concern
5
6  included do
7    belongs_to :project, touch: true
8
9    validates :name, presence: true
10    validates :project, presence: true
11
12    delegate :matching, :matches?, :wildcard?, to: :ref_matcher
13
14    scope :for_project, ->(project) { where(project: project) }
15
16    def allow_multiple?(type)
17      false
18    end
19  end
20
21  def commit
22    project.commit(self.name)
23  end
24
25  class_methods do
26    def protected_ref_access_levels(*types)
27      types.each do |type|
28        # We need to set `inverse_of` to make sure the `belongs_to`-object is set
29        # when creating children using `accepts_nested_attributes_for`.
30        #
31        # If we don't `protected_branch` or `protected_tag` would be empty and
32        # `project` cannot be delegated to it, which in turn would cause validations
33        # to fail.
34        has_many :"#{type}_access_levels", inverse_of: self.model_name.singular
35
36        validates :"#{type}_access_levels", length: { is: 1, message: "are restricted to a single instance per #{self.model_name.human}." }, unless: -> { allow_multiple?(type) }
37
38        accepts_nested_attributes_for :"#{type}_access_levels", allow_destroy: true
39      end
40    end
41
42    def protected_ref_accessible_to?(ref, user, project:, action:, protected_refs: nil)
43      access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level|
44        access_level.check_access(user)
45      end
46    end
47
48    def developers_can?(action, ref, protected_refs: nil)
49      access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level|
50        access_level.access_level == Gitlab::Access::DEVELOPER
51      end
52    end
53
54    def access_levels_for_ref(ref, action:, protected_refs: nil)
55      self.matching(ref, protected_refs: protected_refs)
56        .flat_map(&:"#{action}_access_levels")
57    end
58
59    # Returns all protected refs that match the given ref name.
60    # This checks all records from the scope built up so far, and does
61    # _not_ return a relation.
62    #
63    # This method optionally takes in a list of `protected_refs` to search
64    # through, to avoid calling out to the database.
65    def matching(ref_name, protected_refs: nil)
66      (protected_refs || self.all).select { |protected_ref| protected_ref.matches?(ref_name) }
67    end
68  end
69
70  private
71
72  def ref_matcher
73    @ref_matcher ||= RefMatcher.new(self.name)
74  end
75end
76
77# Prepending a module into a concern doesn't work very well for class methods,
78# since these are defined in a ClassMethods constant. As such, we prepend the
79# module directly into ProtectedRef::ClassMethods, instead of prepending it into
80# ProtectedRef.
81ProtectedRef::ClassMethods.prepend_mod_with('ProtectedRef')
82