diff options
| author | zeripath <art27@cantab.net> | 2019-10-21 09:21:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-21 09:21:45 +0100 |
| commit | 0bfe5eb10b1953cb1f85f7a7b6eb5f24724b8021 (patch) | |
| tree | 8844040cf40b0f37c9457eade166a8bff1a91152 /routers | |
| parent | b1c1e1549b50bbd5929e2c4dd72a1dbf4b511b50 (diff) | |
| download | gitea-0bfe5eb10b1953cb1f85f7a7b6eb5f24724b8021.tar.gz gitea-0bfe5eb10b1953cb1f85f7a7b6eb5f24724b8021.zip | |
Allow Protected Branches to Whitelist Deploy Keys (#8483)
Add an option to protected branches to add writing deploy keys to the whitelist for pushing.
Please note this is technically a breaking change: previously if the owner of a repository was on the whitelist then any writing deploy key was effectively on the whitelist. This option will now need to be set if that is desired.
Closes #8472
Details:
* Allow Protected Branches to Whitelist Deploy Keys
* Add migration
* Ensure that IsDeployKey is set to false on the http pushes
* add not null default false
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/private/hook.go | 8 | ||||
| -rw-r--r-- | routers/repo/http.go | 1 | ||||
| -rw-r--r-- | routers/repo/setting_protected_branch.go | 1 |
3 files changed, 9 insertions, 1 deletions
diff --git a/routers/private/hook.go b/routers/private/hook.go index 1f6ab2f673..074e3aef19 100644 --- a/routers/private/hook.go +++ b/routers/private/hook.go @@ -33,6 +33,7 @@ func HookPreReceive(ctx *macaron.Context) { gitAlternativeObjectDirectories := ctx.QueryTrim("gitAlternativeObjectDirectories") gitQuarantinePath := ctx.QueryTrim("gitQuarantinePath") prID := ctx.QueryInt64("prID") + isDeployKey := ctx.QueryBool("isDeployKey") branchName := strings.TrimPrefix(refFullName, git.BranchPrefix) repo, err := models.GetRepositoryByOwnerAndName(ownerName, repoName) @@ -95,7 +96,12 @@ func HookPreReceive(ctx *macaron.Context) { } } - canPush := protectBranch.CanUserPush(userID) + canPush := false + if isDeployKey { + canPush = protectBranch.WhitelistDeployKeys + } else { + canPush = protectBranch.CanUserPush(userID) + } if !canPush && prID > 0 { pr, err := models.GetPullRequestByID(prID) if err != nil { diff --git a/routers/repo/http.go b/routers/repo/http.go index 09dd820585..d41c63ba35 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -263,6 +263,7 @@ func HTTP(ctx *context.Context) { models.EnvPusherName + "=" + authUser.Name, models.EnvPusherID + fmt.Sprintf("=%d", authUser.ID), models.ProtectedBranchRepoID + fmt.Sprintf("=%d", repo.ID), + models.EnvIsDeployKey + "=false", } if !authUser.KeepEmailPrivate { diff --git a/routers/repo/setting_protected_branch.go b/routers/repo/setting_protected_branch.go index 2a8502e6f4..bc4d7c3a9e 100644 --- a/routers/repo/setting_protected_branch.go +++ b/routers/repo/setting_protected_branch.go @@ -213,6 +213,7 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm) protectBranch.EnableStatusCheck = f.EnableStatusCheck protectBranch.StatusCheckContexts = f.StatusCheckContexts + protectBranch.WhitelistDeployKeys = f.WhitelistDeployKeys protectBranch.RequiredApprovals = f.RequiredApprovals if strings.TrimSpace(f.ApprovalsWhitelistUsers) != "" { |