Skip to content

Move immutable tag checking to ee for ContainerRepository

Adie (she/her)requested to merge
547113-move-immutable-tag-rule-check-to-ee into master

What does this MR do and why?

In this MR, we update the ContainerRepository#protected_from_delete_by_tag_rules? method to have the checking of immutable tag rules in EE and behind Ultimate. We also add tests and extract and reuse common examples.

How to set up and validate locally

Prerequisites:

  • A project with at least one container repository with a tag
  • A mutable and an immutable tag rule on the project so we can test the different scenarios
    • For the mutable tag, set the access levels to :admin.

Code to be ran in the rails console in the scenarios below

reload!

# variables that we will need
container_repository = ContainerRepository.find(id)
current_user = User.find(user_id) # in the scenarios below, the current_user will be described

# testing the method that we are updating in this MR
container_repository.protected_from_delete_by_tag_rules?(current_user)

1. On CE

When the user is an Admin, the mutable tag rules are ignored. Immutable tag rules are also ignored.

current_user = User.find(1) # update to an admin user
container_repository = ContainerRepository.find(id)

container_repository.protected_from_delete_by_tag_rules?(current_user)
# => false

When the user is NOT an Admin, the mutable tag rules are considered. Immutable tag rules are ignored on CE.

current_user = User.last # update to a non-admin user
container_repository = ContainerRepository.find(id)

container_repository.protected_from_delete_by_tag_rules?(current_user)
# => true

2. On EE WITHOUT Ultimate license:

Behaviour should be same as CE. Immutable tags are ignored.

3. On EE WITH Ultimate license - Immutable tag rules are ALWAYS taken into account:

Note below applies when the feature flag is enabled, otherwise, it will act like CE.

When the user is an Admin.

current_user = User.find(1) # update to an admin user
container_repository = ContainerRepository.find(id)

container_repository.protected_from_delete_by_tag_rules?(current_user)
# => true

When the user is NOT an Admin

current_user = User.last # update to a non-admin user
container_repository = ContainerRepository.find(id)

container_repository.protected_from_delete_by_tag_rules?(current_user)
# => true

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #547113

Merge request reports