Branch protection: Possibility to not use whitelist but allow anyone with write access

integrations/git_test.go

@@ -385,6 +385,7 @@ func doProtectBranch(ctx APITestContext, branch string, userToWhitelist string)
 			req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/branches/%s", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame), url.PathEscape(branch)), map[string]string{
 				"_csrf":            csrf,
 				"protected":        "on",
+				"enable_push":      "whitelist",
 				"enable_whitelist": "on",
 				"whitelist_users":  strconv.FormatInt(user.ID, 10),
 			})

models/branches.go

@@ -26,11 +26,11 @@ const (
 
 // ProtectedBranch struct
 type ProtectedBranch struct {
-	ID                        int64  `xorm:"pk autoincr"`
-	RepoID                    int64  `xorm:"UNIQUE(s)"`
-	BranchName                string `xorm:"UNIQUE(s)"`
-	CanPush                   bool   `xorm:"NOT NULL DEFAULT false"`
-	EnableWhitelist           bool
+	ID                        int64              `xorm:"pk autoincr"`
+	RepoID                    int64              `xorm:"UNIQUE(s)"`
+	BranchName                string             `xorm:"UNIQUE(s)"`
+	CanPush                   bool               `xorm:"NOT NULL DEFAULT false"`
+	EnableWhitelist           bool               `xorm:"NOT NULL DEFAULT false"`
 	WhitelistUserIDs          []int64            `xorm:"JSON TEXT"`
 	WhitelistTeamIDs          []int64            `xorm:"JSON TEXT"`
 	EnableMergeWhitelist      bool               `xorm:"NOT NULL DEFAULT false"`
@@ -39,6 +39,7 @@ type ProtectedBranch struct {
 	MergeWhitelistTeamIDs     []int64            `xorm:"JSON TEXT"`
 	EnableStatusCheck         bool               `xorm:"NOT NULL DEFAULT false"`
 	StatusCheckContexts       []string           `xorm:"JSON TEXT"`
+	EnableApprovalsWhitelist  bool               `xorm:"NOT NULL DEFAULT false"`
 	ApprovalsWhitelistUserIDs []int64            `xorm:"JSON TEXT"`
 	ApprovalsWhitelistTeamIDs []int64            `xorm:"JSON TEXT"`
 	RequiredApprovals         int64              `xorm:"NOT NULL DEFAULT 0"`
@@ -53,10 +54,25 @@ func (protectBranch *ProtectedBranch) IsProtected() bool {
 
 // CanUserPush returns if some user could push to this protected branch
 func (protectBranch *ProtectedBranch) CanUserPush(userID int64) bool {
-	if !protectBranch.EnableWhitelist {
+	if !protectBranch.CanPush {
 		return false
 	}
 
+	if !protectBranch.EnableWhitelist {
+		if user, err := GetUserByID(userID); err != nil {
+			log.Error("GetUserByID: %v", err)
+			return false
+		} else if repo, err := GetRepositoryByID(protectBranch.RepoID); err != nil {
+			log.Error("GetRepositoryByID: %v", err)
+			return false
+		} else if writeAccess, err := HasAccessUnit(user, repo, UnitTypeCode, AccessModeWrite); err != nil {
+			log.Error("HasAccessUnit: %v", err)
+			return false
+		} else {
+			return writeAccess
+		}
+	}
+
 	if base.Int64sContains(protectBranch.WhitelistUserIDs, userID) {
 		return true
 	}
@@ -111,12 +127,28 @@ func (protectBranch *ProtectedBranch) GetGrantedApprovalsCount(pr *PullRequest)
 		return 0
 	}
 
+	repo, err := GetRepositoryByID(protectBranch.RepoID)
+	if err != nil {
+		log.Error("GetRepositoryByID: %v", err)
+		return 0
+	}
+
 	approvals := int64(0)
 	userIDs := make([]int64, 0)
 	for _, review := range reviews {
 		if review.Type != ReviewTypeApprove {
 			continue
 		}
+		if !protectBranch.EnableApprovalsWhitelist {
+			if user, err := GetUserByID(review.ID); err != nil {
+				log.Error("GetUserByID: %v", err)
+			} else if writeAccess, err := HasAccessUnit(user, repo, UnitTypeCode, AccessModeWrite); err != nil {
+				log.Error("HasAccessUnit: %v", err)
+			} else if writeAccess {
+				approvals++
+			}
+			continue
+		}
 		if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, review.ID) {
 			approvals++
 			continue

models/migrations/migrations.go

@@ -272,6 +272,8 @@ var migrations = []Migration{
 	NewMigration("Add template options to repository", addTemplateToRepo),
 	// v108 -> v109
 	NewMigration("Add comment_id on table notification", addCommentIDOnNotification),
+	// v109 -> v110
+	NewMigration("update branch protection for can push and whitelist enable", addBranchProtectionCanPushAndEnableWhitelist),
 }
 
 // Migrate database to current version

models/migrations/v109.go

@@ -0,0 +1,32 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func addBranchProtectionCanPushAndEnableWhitelist(x *xorm.Engine) error {
+
+	type ProtectedBranch struct {
+		CanPush                  bool  `xorm:"NOT NULL DEFAULT false"`
+		EnableWhitelist          bool  `xorm:"NOT NULL DEFAULT false"`
+		EnableApprovalsWhitelist bool  `xorm:"NOT NULL DEFAULT false"`
+		RequiredApprovals        int64 `xorm:"NOT NULL DEFAULT 0"`
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+
+	if err := x.Sync2(new(ProtectedBranch)); err != nil {
+		return err
+	}
+
+	if _, err := x.Exec("UPDATE `protected_branch` SET `can_push` = `enable_whitelist`"); err != nil {
+		return err
+	}
+	_, err := x.Exec("UPDATE `protected_branch` SET `enable_approvals_whitelist` = ? WHERE `required_approvals` > ?", true, 0)
+	return err
+}

modules/auth/repo_form.go

@@ -153,19 +153,20 @@ func (f *RepoSettingForm) Validate(ctx *macaron.Context, errs binding.Errors) bi
 
 // ProtectBranchForm form for changing protected branch settings
 type ProtectBranchForm struct {
-	Protected               bool
-	EnableWhitelist         bool
-	WhitelistUsers          string
-	WhitelistTeams          string
-	WhitelistDeployKeys     bool
-	EnableMergeWhitelist    bool
-	MergeWhitelistUsers     string
-	MergeWhitelistTeams     string
-	EnableStatusCheck       bool `xorm:"NOT NULL DEFAULT false"`
-	StatusCheckContexts     []string
-	RequiredApprovals       int64
-	ApprovalsWhitelistUsers string
-	ApprovalsWhitelistTeams string
+	Protected                bool
+	EnablePush               string
+	WhitelistUsers           string
+	WhitelistTeams           string
+	WhitelistDeployKeys      bool
+	EnableMergeWhitelist     bool
+	MergeWhitelistUsers      string
+	MergeWhitelistTeams      string
+	EnableStatusCheck        bool `xorm:"NOT NULL DEFAULT false"`
+	StatusCheckContexts      []string
+	RequiredApprovals        int64
+	EnableApprovalsWhitelist bool
+	ApprovalsWhitelistUsers  string
+	ApprovalsWhitelistTeams  string
 }
 
 // Validate validates the fields

options/locale/locale_en-US.ini

@@ -1361,9 +1361,13 @@ settings.protected_branch_can_push_yes = You can push
 settings.protected_branch_can_push_no = You can not push
 settings.branch_protection = Branch Protection for Branch '<b>%s</b>'
 settings.protect_this_branch = Enable Branch Protection
-settings.protect_this_branch_desc = Prevent deletion and disable any Git pushing to the branch.
-settings.protect_whitelist_committers = Enable Push Whitelist
-settings.protect_whitelist_committers_desc = Allow whitelisted users or teams to push to this branch (but not force push).
+settings.protect_this_branch_desc = Prevents deletion and restricts Git pushing and merging to the branch.
+settings.protect_disable_push = Disable Push
+settings.protect_disable_push_desc = No pushing will be allowed to this branch.
+settings.protect_enable_push = Enable Push
+settings.protect_enable_push_desc = Anyone with write access will be allowed to push to this branch (but not force push).
+settings.protect_whitelist_committers = Whitelist Restricted Push
+settings.protect_whitelist_committers_desc = Only whitelisted users or teams will be allowed to push to this branch (but not force push).
 settings.protect_whitelist_deploy_keys = Whitelist deploy keys with write access to push
 settings.protect_whitelist_users = Whitelisted users for pushing:
 settings.protect_whitelist_search_users = Search users…
@@ -1377,7 +1381,9 @@ settings.protect_check_status_contexts = Enable Status Check
 settings.protect_check_status_contexts_desc = Require status checks to pass before merging Choose which status checks must pass before branches can be merged into a branch that matches this rule. When enabled, commits must first be pushed to another branch, then merged or pushed directly to a branch that matches this rule after status checks have passed. If no contexts are selected, the last commit must be successful regardless of context.
 settings.protect_check_status_contexts_list = Status checks found in the last week for this repository
 settings.protect_required_approvals = Required approvals:
-settings.protect_required_approvals_desc = Allow only to merge pull request with enough positive reviews of whitelisted users or teams.
+settings.protect_required_approvals_desc = Allow only to merge pull request with enough positive reviews.
+settings.protect_approvals_whitelist_enabled = Restrict approvals to whitelisted users or teams
+settings.protect_approvals_whitelist_enabled_desc = Only reviews from whitelisted users or teams will count to the required approvals. Without approval whitelist, reviews from anyone with write access count to the required approvals. 
 settings.protect_approvals_whitelist_users = Whitelisted reviewers:
 settings.protect_approvals_whitelist_teams = Whitelisted teams for reviews:
 settings.add_protected_branch = Enable protection

routers/private/hook.go

@@ -98,7 +98,7 @@ func HookPreReceive(ctx *macaron.Context) {
 
 		canPush := false
 		if isDeployKey {
-			canPush = protectBranch.WhitelistDeployKeys
+			canPush = protectBranch.CanPush && (!protectBranch.EnableWhitelist || protectBranch.WhitelistDeployKeys)
 		} else {
 			canPush = protectBranch.CanUserPush(userID)
 		}

routers/repo/setting_protected_branch.go

@@ -196,7 +196,17 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm)
 		}
 
 		var whitelistUsers, whitelistTeams, mergeWhitelistUsers, mergeWhitelistTeams, approvalsWhitelistUsers, approvalsWhitelistTeams []int64
-		protectBranch.EnableWhitelist = f.EnableWhitelist
+		switch f.EnablePush {
+		case "all":
+			protectBranch.CanPush = true
+			protectBranch.EnableWhitelist = false
+		case "whitelist":
+			protectBranch.CanPush = true
+			protectBranch.EnableWhitelist = true
+		default:
+			protectBranch.CanPush = false
+			protectBranch.EnableWhitelist = false
+		}
 		if strings.TrimSpace(f.WhitelistUsers) != "" {
 			whitelistUsers, _ = base.StringsToInt64s(strings.Split(f.WhitelistUsers, ","))
 		}
@@ -216,6 +226,7 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm)
 		protectBranch.WhitelistDeployKeys = f.WhitelistDeployKeys
 
 		protectBranch.RequiredApprovals = f.RequiredApprovals
+		protectBranch.EnableApprovalsWhitelist = f.EnableApprovalsWhitelist
 		if strings.TrimSpace(f.ApprovalsWhitelistUsers) != "" {
 			approvalsWhitelistUsers, _ = base.StringsToInt64s(strings.Split(f.ApprovalsWhitelistUsers, ","))
 		}

templates/repo/settings/protected_branch.tmpl

@@ -19,8 +19,22 @@
 				</div>
 				<div id="protection_box" class="fields {{if not .Branch.IsProtected}}disabled{{end}}">
 					<div class="field">
-						<div class="ui checkbox">
-							<input class="enable-whitelist" name="enable_whitelist" type="checkbox" data-target="#whitelist_box" {{if .Branch.EnableWhitelist}}checked{{end}}>
+						<div class="ui radio checkbox">
+							<input name="enable_push" type="radio" value="none" class="disable-whitelist" data-target="#whitelist_box" {{if not .Branch.CanPush}}checked{{end}}>
+							<label>{{.i18n.Tr "repo.settings.protect_disable_push"}}</label>
+							<p class="help">{{.i18n.Tr "repo.settings.protect_disable_push_desc"}}</p>
+						</div>
+					</div>
+					<div class="field">
+						<div class="ui radio checkbox">
+							<input name="enable_push" type="radio" value="all" class="disable-whitelist" data-target="#whitelist_box" {{if and (.Branch.CanPush) (not .Branch.EnableWhitelist)}}checked{{end}}>
+							<label>{{.i18n.Tr "repo.settings.protect_enable_push"}}</label>
+							<p class="help">{{.i18n.Tr "repo.settings.protect_enable_push_desc"}}</p>
+						</div>
+					</div>
+					<div class="field">
+						<div class="ui radio checkbox">
+							<input name="enable_push" type="radio" value="whitelist" class="enable-whitelist" data-target="#whitelist_box" {{if and (.Branch.CanPush) (.Branch.EnableWhitelist)}}checked{{end}}>
 							<label>{{.i18n.Tr "repo.settings.protect_whitelist_committers"}}</label>
 							<p class="help">{{.i18n.Tr "repo.settings.protect_whitelist_committers_desc"}}</p>
 						</div>
@@ -148,7 +162,14 @@
 						<input name="required_approvals" id="required-approvals" type="number" value="{{.Branch.RequiredApprovals}}">
 						<p class="help">{{.i18n.Tr "repo.settings.protect_required_approvals_desc"}}</p>
 					</div>
-					<div class="fields">
+					<div class="field">
+						<div class="ui checkbox">
+							<input class="enable-whitelist" name="enable_approvals_whitelist" type="checkbox" data-target="#approvals_whitelist_box" {{if .Branch.EnableApprovalsWhitelist}}checked{{end}}>
+							<label>{{.i18n.Tr "repo.settings.protect_approvals_whitelist_enabled"}}</label>
+							<p class="help">{{.i18n.Tr "repo.settings.protect_approvals_whitelist_enabled_desc"}}</p>
+						</div>
+					</div>
+					<div id="approvals_whitelist_box" class="fields {{if not .Branch.EnableApprovalsWhitelist}}disabled{{end}}">
 						<div class="whitelist field">
 							<label>{{.i18n.Tr "repo.settings.protect_approvals_whitelist_users"}}</label>
 							<div class="ui multiple search selection dropdown">
@@ -164,24 +185,24 @@
 								</div>
 							</div>
 						</div>
-					{{if .Owner.IsOrganization}}
-						<br>
-						<div class="whitelist field">
-							<label>{{.i18n.Tr "repo.settings.protect_approvals_whitelist_teams"}}</label>
-							<div class="ui multiple search selection dropdown">
-								<input type="hidden" name="approvals_whitelist_teams" value="{{.approvals_whitelist_teams}}">
-								<div class="default text">{{.i18n.Tr "repo.settings.protect_whitelist_search_teams"}}</div>
-								<div class="menu">
-								{{range .Teams}}
-									<div class="item" data-value="{{.ID}}">
-										<i class="octicon octicon-jersey"></i>
-									{{.Name}}
+						{{if .Owner.IsOrganization}}
+							<br>
+							<div class="whitelist field">
+								<label>{{.i18n.Tr "repo.settings.protect_approvals_whitelist_teams"}}</label>
+								<div class="ui multiple search selection dropdown">
+									<input type="hidden" name="approvals_whitelist_teams" value="{{.approvals_whitelist_teams}}">
+									<div class="default text">{{.i18n.Tr "repo.settings.protect_whitelist_search_teams"}}</div>
+									<div class="menu">
+									{{range .Teams}}
+										<div class="item" data-value="{{.ID}}">
+											<i class="octicon octicon-jersey"></i>
+										{{.Name}}
+										</div>
+									{{end}}
 									</div>
-								{{end}}
 								</div>
 							</div>
-						</div>
-					{{end}}
+						{{end}}
 					</div>
 				</div>
 

web_src/js/index.js

@@ -984,6 +984,11 @@ function initRepository() {
         $($(this).data('target')).addClass('disabled');
       }
     });
+    $('.disable-whitelist').change(function () {
+      if (this.checked) {
+        $($(this).data('target')).addClass('disabled');
+      }
+    });
   }
 }