Security for online editor. Replace dev_access?, master_access? with can? method usage

2012-10-21 12:12:14 +03:00 · 2012-10-21 12:12:14 +03:00 · 0189ee97ed
commit 0189ee97ed
parent 5ec1ad8b23
7 changed files with 56 additions and 18 deletions
--- a/app/controllers/tree_controller.rb
+++ b/app/controllers/tree_controller.rb
@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
    unless @tree.is_blob? && @tree.text?
      redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
    end
+
+    allowed = if project.protected_branch? @ref
+                can?(current_user, :push_code_to_protected_branches, project)
+              else
+                can?(current_user, :push_code, project)
+              end
+
+    return access_denied! unless allowed
  end
 end
--- a/app/helpers/tree_helper.rb
+++ b/app/helpers/tree_helper.rb
@ -59,4 +59,12 @@ module TreeHelper
  def tree_join(*args)
    File.join(*args)
  end
+
+  def allowed_tree_edit?
+    if @project.protected_branch? @ref
+      can?(current_user, :push_code_to_protected_branches, @project)
+    else
+      can?(current_user, :push_code, @project)
+    end
+  end
 end
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -35,9 +35,14 @@ class Ability
      ] if project.report_access_for?(user)

      rules << [
-        :write_wiki
+        :write_wiki,
+        :push_code
      ] if project.dev_access_for?(user)

+      rules << [
+        :push_code_to_protected_branches
+      ] if project.master_access_for?(user)
+
      rules << [
        :modify_issue,
        :modify_snippet,
--- a/app/roles/authority.rb
+++ b/app/roles/authority.rb
@ -53,6 +53,6 @@ module Authority
  end

  def master_access_for?(user)
-    !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty? || owner_id == user.id
+    !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty?
  end
 end
--- a/app/roles/repository.rb
+++ b/app/roles/repository.rb
@ -181,4 +181,9 @@ module Repository
  def http_url_to_repo
    http_url = [Gitlab.config.url, "/", path, ".git"].join('')
  end
+
+  # Check if current branch name is marked as protected in the system
+  def protected_branch? branch_name
+    protected_branches.map(&:name).include?(branch_name)
+  end
 end
--- a/app/views/tree/_blob_actions.html.haml
+++ b/app/views/tree/_blob_actions.html.haml
@ -1,7 +1,7 @@
 .btn-group.tree-btn-group
  -# only show edit link for text files
  - if @tree.text?
-    = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small"
+    = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small", disabled: !allowed_tree_edit?
  = link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank"
  -# only show normal/blame view links for text files
  - if @tree.text?