Support authorization for push with LDAP backend

When Gitorious is configured to use LDAP for authorization,
authorization for push needs to be done differently from
otherwise.

Rather than collecting all users who have push access and seeing if a
given user is included, we start off with the groups a user is member
of (from LDAP) and see if any of these have push access to the
repository. This is (mainly) because the list of users who are member
of a group lives in LDAP, not our database.

1 files changed, 15 insertions, 0 deletions

diff --git a/lib/gitorious/authorization/database_authorization.rb b/lib/gitorious/authorization/database_authorization.rb
index 878cd2b..d565830 100644
--- a/lib/gitorious/authorization/database_authorization.rb
+++ b/lib/gitorious/authorization/database_authorization.rb
@@ -92,6 +92,17 @@ module Gitorious
         if repository.wiki?
           can_write_to_wiki?(user, repository)
         else
+          push_granted?(repository, user)
+        end
+      end
+
+      def push_granted?(repository, user)
+        if Team.group_implementation == LdapGroup
+          return true if committers(repository).include?(user)
+          groups = Team.for_user(user)
+          groups_with_access = ldap_groups_with_commit_access(repository)
+          return groups_with_access.any?{|group| groups.include?(group) }
+        else
           committers(repository).include?(user)
         end
       end
@@ -170,6 +181,10 @@ module Gitorious
         repository.committerships.committers.map{|c| c.members }.flatten.compact.uniq
       end
 
+      def ldap_groups_with_commit_access(repository)
+        repository.committerships.committers.select{|c|c.committer_type == "LdapGroup"}.map(&:committer)
+      end
+
       # Returns a list of Users who can review things (as per their Committership)
       def reviewers(repository)
         repository.committerships.reviewers.map{|c| c.members }.flatten.compact.uniq