Nulo/gitea
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Activity

improve protected branch to add whitelist support (#2451)

Browse source 
* improve protected branch to add whitelist support

* fix lint

* fix style check

* fix tests

* fix description on UI and import

* fix test

* bug fixed

* fix tests and languages

* move isSliceInt64Eq to util pkg; improve function names & typo
This commit is contained in:
Lunny Xiao 2017-09-14 16:16:22 +08:00 committed by GitHub
parent be3319b3d5
commit 1739e84ac0
29 changed files with 736 additions and 303 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
cmd/hook.go
View file

@ -84,9 +84,10 @@ func runHookPreReceive(c *cli.Context) error {
// the environment setted on serv command
repoID, _ := strconv.ParseInt(os.Getenv(models.ProtectedBranchRepoID), 10, 64)
isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
//username := os.Getenv(models.EnvRepoUsername)
//reponame := os.Getenv(models.EnvRepoName)
//repoPath := models.RepoPath(username, reponame)
username := os.Getenv(models.EnvRepoUsername)
reponame := os.Getenv(models.EnvRepoName)
userIDStr := os.Getenv(models.EnvPusherID)
repoPath := models.RepoPath(username, reponame)
buf := bytes.NewBuffer(nil)
scanner := bufio.NewScanner(os.Stdin)
@ -104,36 +105,37 @@ func runHookPreReceive(c *cli.Context) error {
continue
}
//oldCommitID := string(fields[0])
oldCommitID := string(fields[0])
newCommitID := string(fields[1])
refFullName := string(fields[2])
// FIXME: when we add feature to protected branch to deny force push, then uncomment below
/*var isForce bool
// detect force push
if git.EmptySHA != oldCommitID {
output, err := git.NewCommand("rev-list", oldCommitID, "^"+newCommitID).RunInDir(repoPath)
if err != nil {
fail("Internal error", "Fail to detect force push: %v", err)
} else if len(output) > 0 {
isForce = true
}
}*/
branchName := strings.TrimPrefix(refFullName, git.BranchPrefix)
protectBranch, err := private.GetProtectedBranchBy(repoID, branchName)
if err != nil {
log.GitLogger.Fatal(2, "retrieve protected branches information failed")
}
if protectBranch != nil {
if !protectBranch.CanPush {
// check and deletion
if newCommitID == git.EmptySHA {
fail(fmt.Sprintf("branch %s is protected from deletion", branchName), "")
} else {
if protectBranch != nil && protectBranch.IsProtected() {
// detect force push
if git.EmptySHA != oldCommitID {
output, err := git.NewCommand("rev-list", oldCommitID, "^"+newCommitID).RunInDir(repoPath)
if err != nil {
fail("Internal error", "Fail to detect force push: %v", err)
} else if len(output) > 0 {
fail(fmt.Sprintf("branch %s is protected from force push", branchName), "")
}
}
// check and deletion
if newCommitID == git.EmptySHA {
fail(fmt.Sprintf("branch %s is protected from deletion", branchName), "")
} else {
userID, _ := strconv.ParseInt(userIDStr, 10, 64)
canPush, err := private.CanUserPush(protectBranch.ID, userID)
if err != nil {
fail("Internal error", "Fail to detect user can push: %v", err)
} else if !canPush {
fail(fmt.Sprintf("protected branch %s can not be pushed to", branchName), "")
//fail(fmt.Sprintf("branch %s is protected from force push", branchName), "")
}
}
}

25
integrations/editor_test.go
View file

@ -43,16 +43,15 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
csrf := GetCSRF(t, session, "/user2/repo1/settings/branches")
// Change master branch to protected
req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches?action=protected_branch", map[string]string{
"_csrf": csrf,
"branchName": "master",
"canPush": "true",
req := NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/master", map[string]string{
"_csrf": csrf,
"protected": "on",
})
resp := session.MakeRequest(t, req, http.StatusOK)
resp := session.MakeRequest(t, req, http.StatusFound)
// Check if master branch has been locked successfully
flashCookie := session.GetCookie("macaron_flash")
assert.NotNil(t, flashCookie)
assert.EqualValues(t, flashCookie.Value, "success%3Dmaster%2BLocked%2Bsuccessfully")
assert.EqualValues(t, "success%3DBranch%2Bmaster%2Bprotect%2Boptions%2Bchanged%2Bsuccessfully.", flashCookie.Value)
// Request editor page
req = NewRequest(t, "GET", "/user2/repo1/_new/master/")
@ -74,6 +73,20 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
resp = session.MakeRequest(t, req, http.StatusOK)
// Check body for error message
assert.Contains(t, string(resp.Body), "Can not commit to protected branch 'master'.")
// remove the protected branch
csrf = GetCSRF(t, session, "/user2/repo1/settings/branches")
// Change master branch to protected
req = NewRequestWithValues(t, "POST", "/user2/repo1/settings/branches/master", map[string]string{
"_csrf": csrf,
"protected": "off",
})
resp = session.MakeRequest(t, req, http.StatusFound)
// Check if master branch has been locked successfully
flashCookie = session.GetCookie("macaron_flash")
assert.NotNil(t, flashCookie)
assert.EqualValues(t, "success%3DBranch%2Bmaster%2Bprotect%2Boptions%2Bremoved%2Bsuccessfully", flashCookie.Value)
}
func testEditFile(t *testing.T, session *TestSession, user, repo, branch, filePath string) *TestResponse {

2
integrations/integration_test.go
View file

@ -269,7 +269,7 @@ func MakeRequest(t testing.TB, req *http.Request, expectedStatus int) *TestRespo
mac.ServeHTTP(respWriter, req)
if expectedStatus != NoExpectedStatus {
assert.EqualValues(t, expectedStatus, respWriter.HeaderCode,
"Request URL: %s", req.URL.String())
"Request URL: %s %s", req.URL.String(), buffer.String())
}
return &TestResponse{
HeaderCode: respWriter.HeaderCode,

2
integrations/internal_test.go
View file

@ -31,7 +31,7 @@ func assertProtectedBranch(t *testing.T, repoID int64, branchName string, isErr,
var branch models.ProtectedBranch
t.Log(string(resp.Body))
assert.NoError(t, json.Unmarshal(resp.Body, &branch))
assert.Equal(t, canPush, branch.CanPush)
assert.Equal(t, canPush, !branch.IsProtected())
}
}

192
models/branches.go
View file

@ -8,6 +8,12 @@ import (
"fmt"
"strings"
"time"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
"github.com/Unknwon/com"
)
const (
@ -17,14 +23,43 @@ const (
// ProtectedBranch struct
type ProtectedBranch struct {
ID int64 `xorm:"pk autoincr"`
RepoID int64 `xorm:"UNIQUE(s)"`
BranchName string `xorm:"UNIQUE(s)"`
CanPush bool
Created time.Time `xorm:"-"`
CreatedUnix int64 `xorm:"created"`
Updated time.Time `xorm:"-"`
UpdatedUnix int64 `xorm:"updated"`
ID int64 `xorm:"pk autoincr"`
RepoID int64 `xorm:"UNIQUE(s)"`
BranchName string `xorm:"UNIQUE(s)"`
EnableWhitelist bool
WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
Created time.Time `xorm:"-"`
CreatedUnix int64 `xorm:"created"`
Updated time.Time `xorm:"-"`
UpdatedUnix int64 `xorm:"updated"`
}
// IsProtected returns if the branch is protected
func (protectBranch *ProtectedBranch) IsProtected() bool {
return protectBranch.ID > 0
}
// CanUserPush returns if some user could push to this protected branch
func (protectBranch *ProtectedBranch) CanUserPush(userID int64) bool {
if !protectBranch.EnableWhitelist {
return false
}
if base.Int64sContains(protectBranch.WhitelistUserIDs, userID) {
return true
}
if len(protectBranch.WhitelistTeamIDs) == 0 {
return false
}
in, err := IsUserInTeams(userID, protectBranch.WhitelistTeamIDs)
if err != nil {
log.Error(1, "IsUserInTeams:", err)
return false
}
return in
}
// GetProtectedBranchByRepoID getting protected branch by repo ID
@ -46,6 +81,73 @@ func GetProtectedBranchBy(repoID int64, BranchName string) (*ProtectedBranch, er
return rel, nil
}
// GetProtectedBranchByID getting protected branch by ID
func GetProtectedBranchByID(id int64) (*ProtectedBranch, error) {
rel := &ProtectedBranch{ID: id}
has, err := x.Get(rel)
if err != nil {
return nil, err
}
if !has {
return nil, nil
}
return rel, nil
}
// UpdateProtectBranch saves branch protection options of repository.
// If ID is 0, it creates a new record. Otherwise, updates existing record.
// This function also performs check if whitelist user and team's IDs have been changed
// to avoid unnecessary whitelist delete and regenerate.
func UpdateProtectBranch(repo *Repository, protectBranch *ProtectedBranch, whitelistUserIDs, whitelistTeamIDs []int64) (err error) {
if err = repo.GetOwner(); err != nil {
return fmt.Errorf("GetOwner: %v", err)
}
hasUsersChanged := !util.IsSliceInt64Eq(protectBranch.WhitelistUserIDs, whitelistUserIDs)
if hasUsersChanged {
protectBranch.WhitelistUserIDs = make([]int64, 0, len(whitelistUserIDs))
for _, userID := range whitelistUserIDs {
has, err := hasAccess(x, userID, repo, AccessModeWrite)
if err != nil {
return fmt.Errorf("HasAccess [user_id: %d, repo_id: %d]: %v", userID, protectBranch.RepoID, err)
} else if !has {
continue // Drop invalid user ID
}
protectBranch.WhitelistUserIDs = append(protectBranch.WhitelistUserIDs, userID)
}
}
// if the repo is in an orgniziation
hasTeamsChanged := !util.IsSliceInt64Eq(protectBranch.WhitelistTeamIDs, whitelistTeamIDs)
if hasTeamsChanged {
teams, err := GetTeamsWithAccessToRepo(repo.OwnerID, repo.ID, AccessModeWrite)
if err != nil {
return fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
}
protectBranch.WhitelistTeamIDs = make([]int64, 0, len(teams))
for i := range teams {
if teams[i].HasWriteAccess() && com.IsSliceContainsInt64(whitelistTeamIDs, teams[i].ID) {
protectBranch.WhitelistTeamIDs = append(protectBranch.WhitelistTeamIDs, teams[i].ID)
}
}
}
// Make sure protectBranch.ID is not 0 for whitelists
if protectBranch.ID == 0 {
if _, err = x.Insert(protectBranch); err != nil {
return fmt.Errorf("Insert: %v", err)
}
return nil
}
if _, err = x.Id(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
return fmt.Errorf("Update: %v", err)
}
return nil
}
// GetProtectedBranches get all protected branches
func (repo *Repository) GetProtectedBranches() ([]*ProtectedBranch, error) {
protectedBranches := make([]*ProtectedBranch, 0)
@ -53,7 +155,7 @@ func (repo *Repository) GetProtectedBranches() ([]*ProtectedBranch, error) {
}
// IsProtectedBranch checks if branch is protected
func (repo *Repository) IsProtectedBranch(branchName string) (bool, error) {
func (repo *Repository) IsProtectedBranch(branchName string, doer *User) (bool, error) {
protectedBranch := &ProtectedBranch{
RepoID: repo.ID,
BranchName: branchName,
@ -63,70 +165,12 @@ func (repo *Repository) IsProtectedBranch(branchName string) (bool, error) {
if err != nil {
return true, err
} else if has {
return true, nil
return !protectedBranch.CanUserPush(doer.ID), nil
}
return false, nil
}
// AddProtectedBranch add protection to branch
func (repo *Repository) AddProtectedBranch(branchName string, canPush bool) error {
protectedBranch := &ProtectedBranch{
RepoID: repo.ID,
BranchName: branchName,
}
has, err := x.Get(protectedBranch)
if err != nil {
return err
} else if has {
return nil
}
sess := x.NewSession()
defer sess.Close()
if err = sess.Begin(); err != nil {
return err
}
protectedBranch.CanPush = canPush
if _, err = sess.InsertOne(protectedBranch); err != nil {
return err
}
return sess.Commit()
}
// ChangeProtectedBranch access mode sets new access mode for the ProtectedBranch.
func (repo *Repository) ChangeProtectedBranch(id int64, canPush bool) error {
ProtectedBranch := &ProtectedBranch{
RepoID: repo.ID,
ID: id,
}
has, err := x.Get(ProtectedBranch)
if err != nil {
return fmt.Errorf("get ProtectedBranch: %v", err)
} else if !has {
return nil
}
if ProtectedBranch.CanPush == canPush {
return nil
}
ProtectedBranch.CanPush = canPush
sess := x.NewSession()
defer sess.Close()
if err = sess.Begin(); err != nil {
return err
}
if _, err = sess.Id(ProtectedBranch.ID).AllCols().Update(ProtectedBranch); err != nil {
return fmt.Errorf("update ProtectedBranch: %v", err)
}
return sess.Commit()
}
// DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.
func (repo *Repository) DeleteProtectedBranch(id int64) (err error) {
protectedBranch := &ProtectedBranch{
@ -148,15 +192,3 @@ func (repo *Repository) DeleteProtectedBranch(id int64) (err error) {
return sess.Commit()
}
// newProtectedBranch insert one queue
func newProtectedBranch(protectedBranch *ProtectedBranch) error {
_, err := x.InsertOne(protectedBranch)
return err
}
// UpdateProtectedBranch update queue
func UpdateProtectedBranch(protectedBranch *ProtectedBranch) error {
_, err := x.Update(protectedBranch)
return err
}

2
models/migrations/migrations.go
View file

@ -128,6 +128,8 @@ var migrations = []Migration{
NewMigration("remove commits and settings unit types", removeCommitsUnitType),
// v39 -> v40
NewMigration("adds time tracking and stopwatches", addTimetracking),
// v40 -> v41
NewMigration("migrate protected branch struct", migrateProtectedBranchStruct),
}
// Migrate database to current version

55
models/migrations/v40.go Normal file
View file

@ -0,0 +1,55 @@
// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package migrations
import (
"fmt"
"time"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"github.com/go-xorm/xorm"
)
func migrateProtectedBranchStruct(x *xorm.Engine) error {
type ProtectedBranch struct {
ID int64 `xorm:"pk autoincr"`
RepoID int64 `xorm:"UNIQUE(s)"`
BranchName string `xorm:"UNIQUE(s)"`
CanPush bool
Created time.Time `xorm:"-"`
CreatedUnix int64
Updated time.Time `xorm:"-"`
UpdatedUnix int64
}
var pbs []ProtectedBranch
err := x.Find(&pbs)
if err != nil {
return err
}
for _, pb := range pbs {
if pb.CanPush {
if _, err = x.ID(pb.ID).Delete(new(ProtectedBranch)); err != nil {
return err
}
}
}
switch {
case setting.UseSQLite3:
log.Warn("Unable to drop columns in SQLite")
case setting.UseMySQL, setting.UsePostgreSQL, setting.UseMSSQL, setting.UseTiDB:
if _, err := x.Exec("ALTER TABLE protected_branch DROP COLUMN can_push"); err != nil {
return fmt.Errorf("DROP COLUMN can_push: %v", err)
}
default:
log.Fatal(4, "Unrecognized DB")
}
return nil
}

5
models/org.go
View file

@ -577,6 +577,11 @@ func (org *User) getUserTeamIDs(e Engine, userID int64) ([]int64, error) {
Find(&teamIDs)
}
// TeamsWithAccessToRepo returns all teamsthat have given access level to the repository.
func (org *User) TeamsWithAccessToRepo(repoID int64, mode AccessMode) ([]*Team, error) {
return GetTeamsWithAccessToRepo(org.ID, repoID, mode)
}
// GetUserTeamIDs returns of all team IDs of the organization that user is member of.
func (org *User) GetUserTeamIDs(userID int64) ([]int64, error) {
return org.getUserTeamIDs(x, userID)

20
models/org_team.go
View file

@ -35,6 +35,11 @@ func (t *Team) GetUnitTypes() []UnitType {
return t.UnitTypes
}
// HasWriteAccess returns true if team has at least write level access mode.
func (t *Team) HasWriteAccess() bool {
return t.Authorize >= AccessModeWrite
}
// IsOwnerTeam returns true if team is owner team.
func (t *Team) IsOwnerTeam() bool {
return t.Name == ownerTeamName
@ -594,6 +599,11 @@ func RemoveTeamMember(team *Team, userID int64) error {
return sess.Commit()
}
// IsUserInTeams returns if a user in some teams
func IsUserInTeams(userID int64, teamIDs []int64) (bool, error) {
return x.Where("uid=?", userID).In("team_id", teamIDs).Exist(new(TeamUser))
}
// ___________ __________
// \__ ___/___ _____ _____\______ \ ____ ______ ____
// | |_/ __ \\__ \ / \| _// __ \\____ \ / _ \
@ -639,3 +649,13 @@ func removeTeamRepo(e Engine, teamID, repoID int64) error {
})
return err
}
// GetTeamsWithAccessToRepo returns all teams in an organization that have given access level to the repository.
func GetTeamsWithAccessToRepo(orgID, repoID int64, mode AccessMode) ([]*Team, error) {
teams := make([]*Team, 0, 5)
return teams, x.Where("team.authorize >= ?", mode).
Join("INNER", "team_repo", "team_repo.team_id = team.id").
And("team_repo.org_id = ?", orgID).
And("team_repo.repo_id = ?", repoID).
Find(&teams)
}

36
models/repo.go
View file

@ -656,6 +656,42 @@ func (repo *Repository) CanEnableEditor() bool {
return !repo.IsMirror
}
// GetWriters returns all users that have write access to the repository.
func (repo *Repository) GetWriters() (_ []*User, err error) {
return repo.getUsersWithAccessMode(x, AccessModeWrite)
}
// getUsersWithAccessMode returns users that have at least given access mode to the repository.
func (repo *Repository) getUsersWithAccessMode(e Engine, mode AccessMode) (_ []*User, err error) {
if err = repo.getOwner(e); err != nil {
return nil, err
}
accesses := make([]*Access, 0, 10)
if err = e.Where("repo_id = ? AND mode >= ?", repo.ID, mode).Find(&accesses); err != nil {
return nil, err
}
// Leave a seat for owner itself to append later, but if owner is an organization
// and just waste 1 unit is cheaper than re-allocate memory once.
users := make([]*User, 0, len(accesses)+1)
if len(accesses) > 0 {
userIDs := make([]int64, len(accesses))
for i := 0; i < len(accesses); i++ {
userIDs[i] = accesses[i].UserID
}
if err = e.In("id", userIDs).Find(&users); err != nil {
return nil, err
}
}
if !repo.Owner.IsOrganization() {
users = append(users, repo.Owner)
}
return users, nil
}
// NextIssueIndex returns the next issue index
// FIXME: should have a mutex to prevent producing same index for two issues that are created
// closely enough.

20
modules/auth/repo_form.go
View file

@ -113,6 +113,26 @@ func (f *RepoSettingForm) Validate(ctx *macaron.Context, errs binding.Errors) bi
return validate(errs, ctx.Data, f, ctx.Locale)
}
// __________ .__
// \______ \____________ ____ ____ | |__
// | | _/\_ __ \__ \ / \_/ ___\| | \
// | | \ | | \// __ \| | \ \___| Y \
// |______ / |__| (____ /___| /\___ >___| /
// \/ \/ \/ \/ \/
// ProtectBranchForm form for changing protected branch settings
type ProtectBranchForm struct {
Protected bool
EnableWhitelist bool
WhitelistUsers string
WhitelistTeams string
}
// Validate validates the fields
func (f *ProtectBranchForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
return validate(errs, ctx.Data, f, ctx.Locale)
}
// __ __ ___. .__ .__ __
// / \ / \ ____\_ |__ | |__ | |__ ____ | | __
// \ \/\/ // __ \| __ \| | \| | \ / _ \| |/ /

10
modules/base/tool.go
View file

@ -497,6 +497,16 @@ func Int64sToMap(ints []int64) map[int64]bool {
return m
}
// Int64sContains returns if a int64 in a slice of int64
func Int64sContains(intsSlice []int64, a int64) bool {
for _, c := range intsSlice {
if c == a {
return true
}
}
return false
}
// IsLetter reports whether the rune is a letter (category L).
// https://github.com/golang/go/blob/master/src/go/scanner/scanner.go#L257
func IsLetter(ch rune) bool {

4
modules/context/repo.go
View file

@ -78,8 +78,8 @@ func (r *Repository) CanEnableEditor() bool {
// CanCommitToBranch returns true if repository is editable and user has proper access level
// and branch is not protected
func (r *Repository) CanCommitToBranch() (bool, error) {
protectedBranch, err := r.Repository.IsProtectedBranch(r.BranchName)
func (r *Repository) CanCommitToBranch(doer *models.User) (bool, error) {
protectedBranch, err := r.Repository.IsProtectedBranch(r.BranchName, doer)
if err != nil {
return false, err
}

26
modules/private/branch.go
View file

@ -38,3 +38,29 @@ func GetProtectedBranchBy(repoID int64, branchName string) (*models.ProtectedBra
return &branch, nil
}
// CanUserPush returns if user can push
func CanUserPush(protectedBranchID, userID int64) (bool, error) {
// Ask for running deliver hook and test pull request tasks.
reqURL := setting.LocalURL + fmt.Sprintf("api/internal/protectedbranch/%d/%d", protectedBranchID, userID)
log.GitLogger.Trace("CanUserPush: %s", reqURL)
resp, err := newInternalRequest(reqURL, "GET").Response()
if err != nil {
return false, err
}
var canPush = make(map[string]interface{})
if err := json.NewDecoder(resp.Body).Decode(&canPush); err != nil {
return false, err
}
defer resp.Body.Close()
// All 2XX status codes are accepted and others will return an error
if resp.StatusCode/100 != 2 {
return false, fmt.Errorf("Failed to retrieve push user: %s", decodeJSONError(resp).Err)
}
return canPush["can_push"].(bool), nil
}

29
modules/util/compare.go Normal file
View file

@ -0,0 +1,29 @@
// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package util
import "sort"
// Int64Slice attaches the methods of Interface to []int64, sorting in increasing order.
type Int64Slice []int64
func (p Int64Slice) Len() int { return len(p) }
func (p Int64Slice) Less(i, j int) bool { return p[i] < p[j] }
func (p Int64Slice) Swap(i, j int) { p[i], p[j] = p[j], p[i] }
// IsSliceInt64Eq returns if the two slice has the same elements but different sequences.
func IsSliceInt64Eq(a, b []int64) bool {
if len(a) != len(b) {
return false
}
sort.Sort(Int64Slice(a))
sort.Sort(Int64Slice(b))
for i := 0; i < len(a); i++ {
if a[i] != b[i] {
return false
}
}
return true
}

14
options/locale/locale_en-US.ini
View file

@ -945,11 +945,19 @@ settings.protected_branch=Branch Protection
settings.protected_branch_can_push=Allow push?
settings.protected_branch_can_push_yes=You can push
settings.protected_branch_can_push_no=You can not push
settings.branch_protection = Branch Protection for <b>%s</b>
settings.protect_this_branch = Protect this branch
settings.protect_this_branch_desc = Disable force pushes and prevent deletion.
settings.protect_whitelist_committers = Whitelist who can push to this branch
settings.protect_whitelist_committers_desc = Add users or teams to this branch's whitelist. Whitelisted users bypass the typical push restrictions.
settings.protect_whitelist_users = Users who can push to this branch
settings.protect_whitelist_search_users = Search users
settings.protect_whitelist_teams = Teams whose members can push to this branch.
settings.protect_whitelist_search_teams = Search teams
settings.add_protected_branch=Enable protection
settings.delete_protected_branch=Disable protection
settings.add_protected_branch_success=%s Locked successfully
settings.add_protected_branch_failed= %s Locked failed
settings.remove_protected_branch_success=%s Unlocked successfully
settings.update_protect_branch_success = Branch %s protect options changed successfully.
settings.remove_protected_branch_success= Branch %s protect options removed successfully
settings.protected_branch_deletion=To delete a protected branch
settings.protected_branch_deletion_desc=Anyone with write permissions will be able to push directly to this branch. Are you sure?
settings.default_branch_desc = The default branch is considered the "base" branch in your repository against which all pull requests and code commits are automatically made, unless you specify a different branch.

24
public/css/index.css
View file

@ -2344,6 +2344,30 @@ footer .ui.language .menu {
margin-left: 5px;
margin-top: -3px;
}
.repository.settings.branches .protected-branches .selection.dropdown {
width: 300px;
}
.repository.settings.branches .protected-branches .item {
border: 1px solid #eaeaea;
padding: 10px 15px;
}
.repository.settings.branches .protected-branches .item:not(:last-child) {
border-bottom: 0;
}
.repository.settings.branches .branch-protection .help {
margin-left: 26px;
padding-top: 0;
}
.repository.settings.branches .branch-protection .fields {
margin-left: 20px;
display: block;
}
.repository.settings.branches .branch-protection .whitelist {
margin-left: 26px;
}
.repository.settings.branches .branch-protection .whitelist .dropdown img {
display: inline-block;
}
.repository.settings.webhook .events .column {
padding-bottom: 0;
}

45
public/js/index.js
View file

@ -639,42 +639,18 @@ function initRepository() {
if ($('.repository.compare.pull').length > 0) {
initFilterSearchDropdown('.choose.branch .dropdown');
}
}
function initProtectedBranch() {
$('#protectedBranch').change(function () {
var $this = $(this);
$.post($this.data('url'), {
"_csrf": csrf,
"canPush": true,
"branchName": $this.val(),
},
function (data) {
if (data.redirect) {
window.location.href = data.redirect;
} else {
location.reload();
}
// Branches
if ($('.repository.settings.branches').length > 0) {
initFilterSearchDropdown('.protected-branches .dropdown');
$('.enable-protection, .enable-whitelist').change(function () {
if (this.checked) {
$($(this).data('target')).removeClass('disabled');
} else {
$($(this).data('target')).addClass('disabled');
}
);
});
$('.rm').click(function () {
var $this = $(this);
$.post($this.data('url'), {
"_csrf": csrf,
"canPush": false,
"branchName": $this.data('val'),
},
function (data) {
if (data.redirect) {
window.location.href = data.redirect;
} else {
location.reload();
}
}
);
});
});
}
}
function initRepositoryCollaboration() {
@ -1598,7 +1574,6 @@ $(document).ready(function () {
initEditForm();
initEditor();
initOrganization();
initProtectedBranch();
initWebhook();
initAdmin();
initCodeView();

33
public/less/_repository.less
View file

@ -1251,6 +1251,39 @@
}
}
&.branches {
.protected-branches {
.selection.dropdown {
width: 300px;
}
.item {
border: 1px solid #eaeaea;
padding: 10px 15px;
&:not(:last-child) {
border-bottom: 0;
}
}
}
.branch-protection {
.help {
margin-left: 26px;
padding-top: 0;
}
.fields {
margin-left: 20px;
display: block;
}
.whitelist {
margin-left: 26px;
.dropdown img {
display: inline-block;
}
}
}
}
&.webhook {
.events {
.column {

24
routers/private/branch.go
View file

@ -24,7 +24,29 @@ func GetProtectedBranchBy(ctx *macaron.Context) {
ctx.JSON(200, protectBranch)
} else {
ctx.JSON(200, &models.ProtectedBranch{
CanPush: true,
ID: 0,
})
}
}
// CanUserPush returns if user push
func CanUserPush(ctx *macaron.Context) {
pbID := ctx.ParamsInt64(":pbid")
userID := ctx.ParamsInt64(":userid")
protectBranch, err := models.GetProtectedBranchByID(pbID)
if err != nil {
ctx.JSON(500, map[string]interface{}{
"err": err.Error(),
})
return
} else if protectBranch != nil {
ctx.JSON(200, map[string]interface{}{
"can_push": protectBranch.CanUserPush(userID),
})
} else {
ctx.JSON(200, map[string]interface{}{
"can_push": false,
})
}
}

1
routers/private/internal.go
View file

@ -42,6 +42,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Group("/", func() {
m.Post("/ssh/:id/update", UpdatePublicKey)
m.Post("/push/update", PushUpdate)
m.Get("/protectedbranch/:pbid/:userid", CanUserPush)
m.Get("/branch/:id/*", GetProtectedBranchBy)
}, CheckInternalToken)
}

2
routers/repo/editor.go
View file

@ -32,7 +32,7 @@ const (
)
func renderCommitRights(ctx *context.Context) bool {
canCommit, err := ctx.Repo.CanCommitToBranch()
canCommit, err := ctx.Repo.CanCommitToBranch(ctx.User)
if err != nil {
log.Error(4, "CanCommitToBranch: %v", err)
}

2
routers/repo/issue.go
View file

@ -694,7 +694,7 @@ func ViewIssue(ctx *context.Context) {
log.Error(4, "GetHeadRepo: %v", err)
} else if pull.HeadRepo != nil && pull.HeadBranch != pull.HeadRepo.DefaultBranch && ctx.User.IsWriterOfRepo(pull.HeadRepo) {
// Check if branch is not protected
if protected, err := pull.HeadRepo.IsProtectedBranch(pull.HeadBranch); err != nil {
if protected, err := pull.HeadRepo.IsProtectedBranch(pull.HeadBranch, ctx.User); err != nil {
log.Error(4, "IsProtectedBranch: %v", err)
} else if !protected {
canDelete = true

2
routers/repo/pull.go
View file

@ -841,7 +841,7 @@ func CleanUpPullRequest(ctx *context.Context) {
}
// Check if branch is not protected
if protected, err := pr.HeadRepo.IsProtectedBranch(pr.HeadBranch); err != nil || protected {
if protected, err := pr.HeadRepo.IsProtectedBranch(pr.HeadBranch, ctx.User); err != nil || protected {
if err != nil {
log.Error(4, "HeadRepo.IsProtectedBranch: %v", err)
}

138
routers/repo/setting.go
View file

@ -25,6 +25,7 @@ const (
tplGithooks base.TplName = "repo/settings/githooks"
tplGithookEdit base.TplName = "repo/settings/githook_edit"
tplDeployKeys base.TplName = "repo/settings/deploy_keys"
tplProtectedBranch base.TplName = "repo/settings/protected_branch"
)
// Settings show a repository's settings page
@ -437,143 +438,6 @@ func DeleteCollaboration(ctx *context.Context) {
})
}
// ProtectedBranch render the page to protect the repository
func ProtectedBranch(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.settings")
ctx.Data["PageIsSettingsBranches"] = true
protectedBranches, err := ctx.Repo.Repository.GetProtectedBranches()
if err != nil {
ctx.Handle(500, "GetProtectedBranches", err)
return
}
ctx.Data["ProtectedBranches"] = protectedBranches
branches := ctx.Data["Branches"].([]string)
leftBranches := make([]string, 0, len(branches)-len(protectedBranches))
for _, b := range branches {
var protected bool
for _, pb := range protectedBranches {
if b == pb.BranchName {
protected = true
break
}
}
if !protected {
leftBranches = append(leftBranches, b)
}
}
ctx.Data["LeftBranches"] = leftBranches
ctx.HTML(200, tplBranches)
}
// ProtectedBranchPost response for protect for a branch of a repository
func ProtectedBranchPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.settings")
ctx.Data["PageIsSettingsBranches"] = true
repo := ctx.Repo.Repository
switch ctx.Query("action") {
case "default_branch":
if ctx.HasError() {
ctx.HTML(200, tplBranches)
return
}
branch := ctx.Query("branch")
if !ctx.Repo.GitRepo.IsBranchExist(branch) {
ctx.Status(404)
return
} else if repo.DefaultBranch != branch {
repo.DefaultBranch = branch
if err := ctx.Repo.GitRepo.SetDefaultBranch(branch); err != nil {
if !git.IsErrUnsupportedVersion(err) {
ctx.Handle(500, "SetDefaultBranch", err)
return
}
}
if err := repo.UpdateDefaultBranch(); err != nil {
ctx.Handle(500, "SetDefaultBranch", err)
return
}
}
log.Trace("Repository basic settings updated: %s/%s", ctx.Repo.Owner.Name, repo.Name)
ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
ctx.Redirect(setting.AppSubURL + ctx.Req.URL.Path)
case "protected_branch":
if ctx.HasError() {
ctx.JSON(200, map[string]string{
"redirect": setting.AppSubURL + ctx.Req.URL.Path,
})
return
}
branchName := strings.ToLower(ctx.Query("branchName"))
if len(branchName) == 0 || !ctx.Repo.GitRepo.IsBranchExist(branchName) {
ctx.JSON(200, map[string]string{
"redirect": setting.AppSubURL + ctx.Req.URL.Path,
})
return
}
canPush := ctx.QueryBool("canPush")
if canPush {
if err := ctx.Repo.Repository.AddProtectedBranch(branchName, canPush); err != nil {
ctx.Flash.Error(ctx.Tr("repo.settings.add_protected_branch_failed", branchName))
ctx.JSON(200, map[string]string{
"status": "ok",
})
return
}
ctx.Flash.Success(ctx.Tr("repo.settings.add_protected_branch_success", branchName))
ctx.JSON(200, map[string]string{
"redirect": setting.AppSubURL + ctx.Req.URL.Path,
})
} else {
if err := ctx.Repo.Repository.DeleteProtectedBranch(ctx.QueryInt64("id")); err != nil {
ctx.Flash.Error("DeleteProtectedBranch: " + err.Error())
} else {
ctx.Flash.Success(ctx.Tr("repo.settings.remove_protected_branch_success", branchName))
}
ctx.JSON(200, map[string]interface{}{
"status": "ok",
})
}
default:
ctx.Handle(404, "", nil)
}
}
// ChangeProtectedBranch response for changing access of a protect branch
func ChangeProtectedBranch(ctx *context.Context) {
if err := ctx.Repo.Repository.ChangeProtectedBranch(
ctx.QueryInt64("id"),
ctx.QueryBool("canPush")); err != nil {
log.Error(4, "ChangeProtectedBranch: %v", err)
}
}
// DeleteProtectedBranch delete a protection for a branch of a repository
func DeleteProtectedBranch(ctx *context.Context) {
if err := ctx.Repo.Repository.DeleteProtectedBranch(ctx.QueryInt64("id")); err != nil {
ctx.Flash.Error("DeleteProtectedBranch: " + err.Error())
} else {
ctx.Flash.Success(ctx.Tr("repo.settings.remove_protected_branch_success"))
}
ctx.JSON(200, map[string]interface{}{
"redirect": ctx.Repo.RepoLink + "/settings/branches",
})
}
// parseOwnerAndRepo get repos by owner
func parseOwnerAndRepo(ctx *context.Context) (*models.User, *models.Repository) {
owner, err := models.GetUserByName(ctx.Params(":username"))

186
routers/repo/setting_protected_branch.go Normal file
View file

@ -0,0 +1,186 @@
// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package repo
import (
"fmt"
"strings"
"code.gitea.io/git"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
)
// ProtectedBranch render the page to protect the repository
func ProtectedBranch(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.settings")
ctx.Data["PageIsSettingsBranches"] = true
protectedBranches, err := ctx.Repo.Repository.GetProtectedBranches()
if err != nil {
ctx.Handle(500, "GetProtectedBranches", err)
return
}
ctx.Data["ProtectedBranches"] = protectedBranches
branches := ctx.Data["Branches"].([]string)
leftBranches := make([]string, 0, len(branches)-len(protectedBranches))
for _, b := range branches {
var protected bool
for _, pb := range protectedBranches {
if b == pb.BranchName {
protected = true
break
}
}
if !protected {
leftBranches = append(leftBranches, b)
}
}
ctx.Data["LeftBranches"] = leftBranches
ctx.HTML(200, tplBranches)
}
// ProtectedBranchPost response for protect for a branch of a repository
func ProtectedBranchPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.settings")
ctx.Data["PageIsSettingsBranches"] = true
repo := ctx.Repo.Repository
switch ctx.Query("action") {
case "default_branch":
if ctx.HasError() {
ctx.HTML(200, tplBranches)
return
}
branch := ctx.Query("branch")
if !ctx.Repo.GitRepo.IsBranchExist(branch) {
ctx.Status(404)
return
} else if repo.DefaultBranch != branch {
repo.DefaultBranch = branch
if err := ctx.Repo.GitRepo.SetDefaultBranch(branch); err != nil {
if !git.IsErrUnsupportedVersion(err) {
ctx.Handle(500, "SetDefaultBranch", err)
return
}
}
if err := repo.UpdateDefaultBranch(); err != nil {
ctx.Handle(500, "SetDefaultBranch", err)
return
}
}
log.Trace("Repository basic settings updated: %s/%s", ctx.Repo.Owner.Name, repo.Name)
ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
ctx.Redirect(setting.AppSubURL + ctx.Req.URL.Path)
default:
ctx.Handle(404, "", nil)
}
}
// SettingsProtectedBranch renders the protected branch setting page
func SettingsProtectedBranch(c *context.Context) {
branch := c.Params("*")
if !c.Repo.GitRepo.IsBranchExist(branch) {
c.NotFound()
return
}
c.Data["Title"] = c.Tr("repo.settings.protected_branches") + " - " + branch
c.Data["PageIsSettingsBranches"] = true
protectBranch, err := models.GetProtectedBranchBy(c.Repo.Repository.ID, branch)
if err != nil {
if !models.IsErrBranchNotExist(err) {
c.Handle(500, "GetProtectBranchOfRepoByName", err)
return
}
}
if protectBranch == nil {
// No options found, create defaults.
protectBranch = &models.ProtectedBranch{
BranchName: branch,
}
}
users, err := c.Repo.Repository.GetWriters()
if err != nil {
c.Handle(500, "Repo.Repository.GetWriters", err)
return
}
c.Data["Users"] = users
c.Data["whitelist_users"] = strings.Join(base.Int64sToStrings(protectBranch.WhitelistUserIDs), ",")
if c.Repo.Owner.IsOrganization() {
teams, err := c.Repo.Owner.TeamsWithAccessToRepo(c.Repo.Repository.ID, models.AccessModeWrite)
if err != nil {
c.Handle(500, "Repo.Owner.TeamsWithAccessToRepo", err)
return
}
c.Data["Teams"] = teams
c.Data["whitelist_teams"] = strings.Join(base.Int64sToStrings(protectBranch.WhitelistTeamIDs), ",")
}
c.Data["Branch"] = protectBranch
c.HTML(200, tplProtectedBranch)
}
// SettingsProtectedBranchPost updates the protected branch settings
func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm) {
branch := ctx.Params("*")
if !ctx.Repo.GitRepo.IsBranchExist(branch) {
ctx.NotFound()
return
}
protectBranch, err := models.GetProtectedBranchBy(ctx.Repo.Repository.ID, branch)
if err != nil {
if !models.IsErrBranchNotExist(err) {
ctx.Handle(500, "GetProtectBranchOfRepoByName", err)
return
}
}
if f.Protected {
if protectBranch == nil {
// No options found, create defaults.
protectBranch = &models.ProtectedBranch{
RepoID: ctx.Repo.Repository.ID,
BranchName: branch,
}
}
protectBranch.EnableWhitelist = f.EnableWhitelist
whitelistUsers, _ := base.StringsToInt64s(strings.Split(f.WhitelistUsers, ","))
whitelistTeams, _ := base.StringsToInt64s(strings.Split(f.WhitelistTeams, ","))
err = models.UpdateProtectBranch(ctx.Repo.Repository, protectBranch, whitelistUsers, whitelistTeams)
if err != nil {
ctx.Handle(500, "UpdateProtectBranch", err)
return
}
ctx.Flash.Success(ctx.Tr("repo.settings.update_protect_branch_success", branch))
ctx.Redirect(fmt.Sprintf("%s/settings/branches/%s", ctx.Repo.RepoLink, branch))
} else {
if protectBranch != nil {
if err := ctx.Repo.Repository.DeleteProtectedBranch(protectBranch.ID); err != nil {
ctx.Handle(500, "DeleteProtectedBranch", err)
return
}
}
ctx.Flash.Success(ctx.Tr("repo.settings.remove_protected_branch_success", branch))
ctx.Redirect(fmt.Sprintf("%s/settings/branches", ctx.Repo.RepoLink))
}
}

4
routers/routes/routes.go
View file

@ -433,8 +433,8 @@ func RegisterRoutes(m *macaron.Macaron) {
})
m.Group("/branches", func() {
m.Combo("").Get(repo.ProtectedBranch).Post(repo.ProtectedBranchPost)
m.Post("/can_push", repo.ChangeProtectedBranch)
m.Post("/delete", repo.DeleteProtectedBranch)
m.Combo("/*").Get(repo.SettingsProtectedBranch).
Post(bindIgnErr(auth.ProtectBranchForm{}), repo.SettingsProtectedBranchPost)
}, repo.MustBeNotBare)
m.Group("/hooks", func() {

14
templates/repo/settings/branches.tmpl
View file

@ -39,20 +39,16 @@
<h4 class="ui top attached header">
{{.i18n.Tr "repo.settings.protected_branch"}}
</h4>
<div class="ui attached table segment">
<div class="ui grid padded">
<div class="eight wide column">
<div class="ui fluid dropdown selection" tabindex="0">
<select id="protectedBranch" name="branch" data-url="{{.Repository.Link}}/settings/branches?action=protected_branch">
{{range .LeftBranches}}
<option value="">{{$.i18n.Tr "repo.settings.choose_branch"}}</option>
<option value="{{.}}">{{.}}</option>
{{end}}
</select><i class="dropdown icon"></i>
<i class="dropdown icon"></i>
<div class="default text">{{.i18n.Tr "repo.settings.choose_branch"}}</div>
<div class="menu transition hidden" tabindex="-1" style="display: block !important;">
{{range .LeftBranches}}
<div class="item" data-value="{{.}}">{{.}}</div>
<a class="item" href="{{$.Repository.Link}}/settings/branches/{{.}}">{{.}}</a>
{{end}}
</div>
</div>
@ -65,8 +61,8 @@
<tbody>
{{range .ProtectedBranches}}
<tr>
<td><div class="ui large label">{{.BranchName}}</div></td>
<td class="right aligned"><button class="rm ui red button" data-url="{{$.Repository.Link}}/settings/branches?action=protected_branch&id={{.ID}}" data-val="{{.BranchName}}">Delete</button></td>
<td><div class="ui basic label blue">{{.BranchName}}</div></td>
<td class="right aligned"><a class="rm ui button" href="{{$.Repository.Link}}/settings/branches/{{.BranchName}}">Edit</a></td>
</tr>
{{else}}
<tr class="center aligned"><td>{{.i18n.Tr "repo.settings.no_protected_branch"}}</td></tr>

74
templates/repo/settings/protected_branch.tmpl Normal file
View file

@ -0,0 +1,74 @@
{{template "base/head" .}}
<div class="repository settings branches">
{{template "repo/header" .}}
{{template "repo/settings/navbar" .}}
<div class="ui container">
{{template "base/alert" .}}
<h4 class="ui top attached header">
{{.i18n.Tr "repo.settings.branch_protection" .Branch.BranchName | Str2html}}
</h4>
<div class="ui attached segment branch-protection">
<form class="ui form" action="{{.Link}}" method="post">
{{.CsrfTokenHtml}}
<div class="inline field">
<div class="ui checkbox">
<input class="enable-protection" name="protected" type="checkbox" data-target="#protection_box" {{if .Branch.IsProtected}}checked{{end}}>
<label>{{.i18n.Tr "repo.settings.protect_this_branch"}}</label>
<p class="help">{{.i18n.Tr "repo.settings.protect_this_branch_desc"}}</p>
</div>
</div>
<div id="protection_box" class="fields {{if not .Branch.IsProtected}}disabled{{end}}">
<div class="field">
<div class="ui checkbox">
<input class="enable-whitelist" name="enable_whitelist" type="checkbox" data-target="#whitelist_box" {{if .Branch.EnableWhitelist}}checked{{end}}>
<label>{{.i18n.Tr "repo.settings.protect_whitelist_committers"}}</label>
<p class="help">{{.i18n.Tr "repo.settings.protect_whitelist_committers_desc"}}</p>
</div>
</div>
<div id="whitelist_box" class="fields {{if not .Branch.EnableWhitelist}}disabled{{end}}">
<div class="whitelist field">
<label>{{.i18n.Tr "repo.settings.protect_whitelist_users"}}</label>
<div class="ui multiple search selection dropdown">
<input type="hidden" name="whitelist_users" value="{{.whitelist_users}}">
<div class="default text">{{.i18n.Tr "repo.settings.protect_whitelist_search_users"}}</div>
<div class="menu">
{{range .Users}}
<div class="item" data-value="{{.ID}}">
<img class="ui mini image" src="{{.RelAvatarLink}}">
{{.Name}}
</div>
{{end}}
</div>
</div>
</div>
{{if .Owner.IsOrganization}}
<br>
<div class="whitelist field">
<label>{{.i18n.Tr "repo.settings.protect_whitelist_teams"}}</label>
<div class="ui multiple search selection dropdown">
<input type="hidden" name="whitelist_teams" value="{{.whitelist_teams}}">
<div class="default text">{{.i18n.Tr "repo.settings.protect_whitelist_search_teams"}}</div>
<div class="menu">
{{range .Teams}}
<div class="item" data-value="{{.ID}}">
<i class="octicon octicon-jersey"></i>
{{.Name}}
</div>
{{end}}
</div>
</div>
</div>
{{end}}
</div>
</div>
<div class="ui divider"></div>
<div class="field">
<button class="ui green button">{{$.i18n.Tr "repo.settings.update_settings"}}</button>
</div>
</form>
</div>
</div>
</div>
{{template "base/footer" .}}