[WIP] - Started working on the post tag push update

[jvanbaarsen]

No description provided.

[jvanbaarsen]

@randx / @jacobvosmaer What is the difference in permissions when you check api.allowed?(action,...) I see you can set it either one of these:

 DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive } PUSH_COMMANDS = %w{ git-receive-pack } 

When i'm pushing a tag, my first impression would be, i have to check for git-receive-pack am i right?

[jvanbaarsen]

I'm not sure if this is the way to go. Since people might have a branch called tag-create. So if a person has a protecte branch called tag-create and you're only developer level permission, you would not be able to push tags. @randx You have any idea in how to create a more robust system for this?

[zzet]

@jvanbaarsen mb better to use not @branch_name variable? for example @ref_name of @ref ?

[jvanbaarsen]

@zzet Thanks for reply! But this PR is not needed anymore :)

[coveralls]

Coverage remained the same when pulling c78f438 on jvanbaarsen:post-tag-push into 79bceae on gitlabhq:master.

[coveralls]

Coverage remained the same when pulling c78f438 on jvanbaarsen:post-tag-push into 79bceae on gitlabhq:master.

[dosire]

Solves http://feedback.gitlab.com/forums/176466-general/suggestions/3719646-web-hooks-on-tag and related to gitlabhq/gitlabhq#6474

[jacobvosmaer]

@jvanbaarsen if I understand correctly, the current situation is that anyone with push access to a GitLab project can push tags. Did we decide to change this behavior? If not then I am not 100% sure we need to change anything in gitlab-shell to create webhooks for tags.

/cc @randx

[jvanbaarsen]

@jacobvosmaer Thanks for the reply! The problem is in the check for pushing over SSH:

if ssh? if api.allowed?('git-receive-pack', @repo_name, @key_id, @branch_name) update_redis exit 0 else puts "GitLab: You are not allowed to access #{@branch_name}!" exit 1 end else update_redis exit 0 end 

Its checking on branch name, not on the complete ref, so if i have a protected branch production and i want to push a new tag production it will get refused.

[jacobvosmaer]

@jvanbaarsen I naively assumed the following would happen in the current situation when I push tag mytag to GitLab with Developer permissions:

• gitlab_update gets invoked for 'refs/tags/mytag';
• the @branch_name variable gets set to nil;
• the internal GitLab API checks for regular push access in https://github.com/gitlabhq/gitlabhq/blob/master/lib/api/internal.rb#L50 (project.protected_branch?(params[:ref]) will be false);
• api.allowed? returns true.

I may be wrong. Still, could it be that there you are seeing an issue with using the same name (production) for the branch and the tag?

[jvanbaarsen]

@jacobvosmaer That sounds reasonable :-) I'll check that within an hour!

[jvanbaarsen]

@jacobvosmaer Thanks for the feedback :-) The changes in the gitlab-shell hook seems to be unnecessary :) I think I can close this one, what do you think?

[jacobvosmaer]

Feel free to close this PR @jvanbaarsen .