deac/gitlabhq
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Security for online editor. Replace dev_access?, master_access? with can? method usage

Browse source
This commit is contained in:
randx 2012-10-21 12:12:14 +03:00
parent 5ec1ad8b23
commit 0189ee97ed
7 changed files with 56 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/tree_controller.rb
View file

@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
unless @tree.is_blob? && @tree.text? unless @tree.is_blob? && @tree.text?
redirect_to project_tree_path(@project, @id), notice: "You can only edit text files" redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
end end
allowed = if project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, project)
else
can?(current_user, :push_code, project)
end
return access_denied! unless allowed
end end
end end

8
app/helpers/tree_helper.rb
View file

@ -59,4 +59,12 @@ module TreeHelper
def tree_join(*args) def tree_join(*args)
File.join(*args) File.join(*args)
end end
def allowed_tree_edit?
if @project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, @project)
else
can?(current_user, :push_code, @project)
end
end
end end

7
app/models/ability.rb
View file

@ -35,9 +35,14 @@ class Ability
] if project.report_access_for?(user) ] if project.report_access_for?(user)
rules << [ rules << [
:write_wiki :write_wiki,
:push_code
] if project.dev_access_for?(user) ] if project.dev_access_for?(user)
rules << [
:push_code_to_protected_branches
] if project.master_access_for?(user)
rules << [ rules << [
:modify_issue, :modify_issue,
:modify_snippet, :modify_snippet,

2
app/roles/authority.rb
View file

@ -53,6 +53,6 @@ module Authority
end end
def master_access_for?(user) def master_access_for?(user)
!users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty? || owner_id == user.id !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty?
end end
end end

5
app/roles/repository.rb
View file

@ -181,4 +181,9 @@ module Repository
def http_url_to_repo def http_url_to_repo
http_url = [Gitlab.config.url, "/", path, ".git"].join('') http_url = [Gitlab.config.url, "/", path, ".git"].join('')
end end
# Check if current branch name is marked as protected in the system
def protected_branch? branch_name
protected_branches.map(&:name).include?(branch_name)
end
end end

2
app/views/tree/_blob_actions.html.haml
View file

@ -1,7 +1,7 @@
.btn-group.tree-btn-group .btn-group.tree-btn-group
-# only show edit link for text files -# only show edit link for text files
- if @tree.text? - if @tree.text?
= link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small" = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small", disabled: !allowed_tree_edit?
= link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank" = link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank"
-# only show normal/blame view links for text files -# only show normal/blame view links for text files
- if @tree.text? - if @tree.text?

42
lib/gitlab/backend/grack_auth.rb
View file

@ -1,10 +1,11 @@
module Grack module Grack
class Auth < Rack::Auth::Basic class Auth < Rack::Auth::Basic
attr_accessor :user, :project
def valid? def valid?
# Authentication with username and password # Authentication with username and password
email, password = @auth.credentials email, password = @auth.credentials
user = User.find_by_email(email) self.user = User.find_by_email(email)
return false unless user.try(:valid_password?, password) return false unless user.try(:valid_password?, password)
# Set GL_USER env variable # Set GL_USER env variable
@ -18,28 +19,39 @@ module Grack
# Find project by PATH_INFO from env # Find project by PATH_INFO from env
if m = /^\/([\w-]+).git/.match(@request.path_info).to_a if m = /^\/([\w-]+).git/.match(@request.path_info).to_a
return false unless project = Project.find_by_path(m.last) self.project = Project.find_by_path(m.last)
return false unless project
end end
# Git upload and receive # Git upload and receive
if @request.get? if @request.get?
true validate_get_request
elsif @request.post? elsif @request.post?
if @request.path_info.end_with?('git-upload-pack') validate_post_request
return project.dev_access_for?(user)
elsif @request.path_info.end_with?('git-receive-pack')
if project.protected_branches.map(&:name).include?(current_ref)
project.master_access_for?(user)
else
project.dev_access_for?(user)
end
else
false
end
else else
false false
end end
end# valid? end
def validate_get_request
true
end
def validate_post_request
if @request.path_info.end_with?('git-upload-pack')
can?(user, :push_code, project)
elsif @request.path_info.end_with?('git-receive-pack')
action = if project.protected_branch?(current_ref)
:push_code_to_protected_branches
else
:push_code
end
can?(user, action, project)
else
false
end
end
def current_ref def current_ref
if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/ if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/