Consider can_push? instead of ownership

landongrindheim · landongrindheim · commit cffa8614c5a4 · 2025-07-30T16:04:47.000-04:00
Ownership is proving to be trickier to keep consistent than I had hoped
it would be. I've been migrating to a permissions-based approach, which
has similar concerns beneath the covers, but is more explicit in its
implementation.
diff --git a/app/models/oidc/trusted_publisher/github_action.rb b/app/models/oidc/trusted_publisher/github_action.rb
@@ -147,7 +147,7 @@ def repository = "#{repository_owner}/#{repository_name}"
 
   def workflow_slug = ".github/workflows/#{workflow_filename}"
 
-  def owns_gem?(rubygem) = rubygem_trusted_publishers.exists?(rubygem: rubygem)
+  def can_push?(rubygem) = rubygem_trusted_publishers.exists?(rubygem: rubygem)
 
   private
 
diff --git a/app/models/pusher.rb b/app/models/pusher.rb
@@ -32,7 +32,7 @@ def process
   end
 
   def authorize
-    (rubygem.pushable? && (api_key.user? || find_pending_trusted_publisher)) || owner.owns_gem?(rubygem) || notify_unauthorized
+    (rubygem.pushable? && (api_key.user? || find_pending_trusted_publisher)) || owner.can_push?(rubygem) || notify_unauthorized
   end
 
   def verify_gem_scope
@@ -260,7 +260,7 @@ def republish_notification(version)
       notify("It appears that #{version.full_name} did not finish pushing.\n" \
              "Please contact support@rubygems.org for assistance if you pushed this gem more than a minute ago.", 409)
     else
-      different_owner = "pushed by a previous owner of this gem " unless owner.owns_gem?(version.rubygem)
+      different_owner = "pushed by a previous owner of this gem " unless owner.can_push?(version.rubygem)
       notify("A yanked version #{different_owner}already exists (#{version.full_name}).\n" \
              "Repushing of gem versions is not allowed. Please use a new version and retry", 409)
     end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -275,8 +275,8 @@ def blocked?
     blocked_email.present?
   end
 
-  def owns_gem?(rubygem)
-    rubygem.owned_by?(self)
+  def can_push?(rubygem)
+    GemPermissions.new(rubygem, self).can_push?
   end
 
   def acknowledge_policies!
diff --git a/test/integration/push_test.rb b/test/integration/push_test.rb
@@ -189,7 +189,7 @@ class PushTest < ActionDispatch::IntegrationTest
 
     rubygem = Rubygem.find_by!(name: "sandworm")
 
-    assert rubygem.owned_by?(@user)
+    assert @user.can_push?(rubygem)
     assert rubygem.oidc_rubygem_trusted_publishers.exists?(trusted_publisher: pending_trusted_publisher.trusted_publisher)
   end
 
@@ -213,7 +213,7 @@ class PushTest < ActionDispatch::IntegrationTest
 
     rubygem = Rubygem.find_by!(name: "sandworm")
 
-    assert rubygem.owned_by?(@user)
+    assert @user.can_push?(rubygem)
     assert rubygem.oidc_rubygem_trusted_publishers.exists?(trusted_publisher: pending_trusted_publisher.trusted_publisher)
   end
 
diff --git a/test/models/oidc/trusted_publisher/github_action_test.rb b/test/models/oidc/trusted_publisher/github_action_test.rb
@@ -111,15 +111,15 @@ class OIDC::TrustedPublisher::GitHubActionTest < ActiveSupport::TestCase
     assert_equal "GitHub Actions example/bar @ .github/workflows/push_gem.yml (test)", publisher.name
   end
 
-  test "#owns_gem?" do
+  test "#can_push?" do
     rubygem1 = create(:rubygem)
     rubygem2 = create(:rubygem)
 
     publisher = create(:oidc_trusted_publisher_github_action)
     create(:oidc_rubygem_trusted_publisher, trusted_publisher: publisher, rubygem: rubygem1)
 
-    assert publisher.owns_gem?(rubygem1)
-    refute publisher.owns_gem?(rubygem2)
+    assert publisher.can_push?(rubygem1)
+    refute publisher.can_push?(rubygem2)
   end
 
   test "#to_access_policy" do
diff --git a/test/models/pusher_test.rb b/test/models/pusher_test.rb
@@ -504,7 +504,7 @@ def two_cert_chain(signing_key:, root_not_before: Time.current, cert_not_before:
       owner = stub("owner", to_gid: nil)
       @api_key.update_columns(owner_id: 0, owner_type: "stub")
       @cutter.stubs(:owner).returns owner
-      owner.expects(:owns_gem?).with(@cutter.rubygem).returns(false)
+      owner.expects(:can_push?).with(@cutter.rubygem).returns(false)
 
       refute @cutter.authorize
       assert_equal "You are not allowed to push this gem.",
@@ -541,7 +541,7 @@ def two_cert_chain(signing_key:, root_not_before: Time.current, cert_not_before:
         owner = stub("owner", to_gid: nil)
         @api_key.update_columns(owner_id: 0, owner_type: "stub")
         @cutter.stubs(:owner).returns owner
-        owner.expects(:owns_gem?).with(@rubygem).returns(false)
+        owner.expects(:can_push?).with(@rubygem).returns(false)
 
         refute @cutter.authorize
         assert_equal "You are not allowed to push this gem.",
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
@@ -1028,4 +1028,23 @@ class UserTest < ActiveSupport::TestCase
       refute_predicate user, :policies_acknowledged?
     end
   end
+
+  context "#can_push?" do
+    should "delegate to GemPermissions#can_push?" do
+      user = build(:user)
+      rubygem = build(:rubygem)
+
+      gem_permissions = mock
+      gem_permissions.expects(:can_push?).returns(true)
+      GemPermissions.expects(:new).with(rubygem, user).returns(gem_permissions)
+
+      assert user.can_push?(rubygem)
+
+      gem_permissions = mock
+      gem_permissions.expects(:can_push?).returns(false)
+      GemPermissions.expects(:new).with(rubygem, user).returns(gem_permissions)
+
+      refute user.can_push?(rubygem)
+    end
+  end
 end
