Security for online editor. Replace dev_access?, master_access? with can? method usage

2012-10-21 12:12:14 +03:00 · 2012-10-21 12:12:14 +03:00 · 0189ee97ed
commit 0189ee97ed
parent 5ec1ad8b23
7 changed files with 56 additions and 18 deletions
--- a/app/controllers/tree_controller.rb
+++ b/app/controllers/tree_controller.rb
@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
    unless @tree.is_blob? && @tree.text?
      redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
    end
+
+    allowed = if project.protected_branch? @ref
+                can?(current_user, :push_code_to_protected_branches, project)
+              else
+                can?(current_user, :push_code, project)
+              end
+
+    return access_denied! unless allowed
  end
 end