Merge pull request #6367 from rubygems/do-not-push-gem-reserved-versions

Disallow pusher to push versions of a reserved gem

Author: jenshenny

app/models/pusher.rb

@@ -256,7 +256,7 @@ def republish_notification(version)
   end
 
   def notify_unauthorized
-    if !api_key.user?
+    if !api_key.user? || rubygem.reserved_name?
       notify("You are not allowed to push this gem.", 403)
     elsif rubygem.unconfirmed_ownership?(owner)
       notify("You do not have permission to push to this gem. " \

app/models/rubygem.rb

@@ -291,7 +291,11 @@ def slug
   end
 
   def pushable?
-    new_record? || (versions.indexed.none? && not_protected?)
+    new_record? || (versions.indexed.none? && not_protected? && !reserved_name?)
+  end
+
+  def reserved_name?
+    GemNameReservation.reserved?(name)
   end
 
   def create_ownership(user)
@@ -400,7 +404,7 @@ def needs_name_validation?
   end
 
   def reserved_names_exclusion
-    return unless GemNameReservation.reserved?(name)
+    return unless reserved_name?
     errors.add :name, "'#{name}' is a reserved gem name."
   end
 

test/models/pusher_test.rb

@@ -343,6 +343,15 @@ class PusherTest < ActiveSupport::TestCase
         assert @cutter.authorize
       end
 
+      should "be false if gem name is reserved" do
+        create(:version, rubygem: @rubygem, number: "0.1.1", indexed: false)
+        create(:gem_name_reservation, name: @rubygem.name.downcase)
+
+        refute @cutter.authorize
+        assert_equal "You are not allowed to push this gem.", @cutter.message
+        assert_equal 403, @cutter.code
+      end
+
       context "version metadata has rubygems_mfa_required set" do
         setup do
           spec = mock