security improved

2011-10-17 13:39:03 +03:00 · 2011-10-17 13:39:03 +03:00 · 783ca89796
commit 783ca89796
parent b08e4074b4
9 changed files with 74 additions and 26 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -27,11 +27,15 @@ class ApplicationController < ActionController::Base
  end

  def authenticate_admin!
-    return redirect_to(new_user_session_path) unless current_user.is_admin?
+    return render_404 unless current_user.is_admin?
  end

  def authorize_project!(action)
-    return redirect_to(new_user_session_path) unless can?(current_user, action, project)
+    return render_404 unless can?(current_user, action, project)
+  end
+
+  def access_denied!
+    render_404
  end

  def method_missing(method_sym, *arguments, &block)
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@ -1,12 +1,12 @@
 class IssuesController < ApplicationController
  before_filter :authenticate_user!
  before_filter :project 
+  before_filter :issue, :only => [:edit, :update, :destroy, :show]

  # Authorize
  before_filter :add_project_abilities
  before_filter :authorize_read_issue!
  before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort] 
-  before_filter :authorize_admin_issue!, :only => [:destroy] 

  respond_to :js

@ -30,12 +30,10 @@ class IssuesController < ApplicationController
  end

  def edit
-    @issue = @project.issues.find(params[:id])
    respond_with(@issue)
  end

  def show
-    @issue = @project.issues.find(params[:id])
    @notes = @issue.notes
    @note = @project.notes.new(:noteable => @issue)
  end
@ -51,7 +49,6 @@ class IssuesController < ApplicationController
  end

  def update
-    @issue = @project.issues.find(params[:id])
    @issue.update_attributes(params[:issue])

    respond_to do |format|
@ -62,7 +59,8 @@ class IssuesController < ApplicationController


  def destroy
-    @issue = @project.issues.find(params[:id])
+    return access_denied! unless can?(current_user, :admin_issue, @issue)
+
    @issue.destroy

    respond_to do |format|
@ -79,4 +77,10 @@ class IssuesController < ApplicationController

    render :nothing => true
  end
+
+  protected 
+
+  def issue
+    @issue ||= @project.issues.find(params[:id])
+  end
 end
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@ -4,7 +4,6 @@ class NotesController < ApplicationController
  # Authorize
  before_filter :add_project_abilities
  before_filter :authorize_write_note!, :only => [:create] 
-  before_filter :authorize_admin_note!, :only => [:destroy] 

  respond_to :js

@ -25,6 +24,9 @@ class NotesController < ApplicationController

  def destroy
    @note = @project.notes.find(params[:id])
+
+    return access_denied! unless can?(current_user, :admin_note, @note)
+
    @note.destroy

    respond_to do |format|
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@ -52,12 +52,11 @@ class SnippetsController < ApplicationController

  def destroy
    @snippet = @project.snippets.find(params[:id])
-    authorize_admin_snippet! unless @snippet.author == current_user
+
+    return access_denied! unless can?(current_user, :admin_snippet, @snippet)

    @snippet.destroy

-    respond_to do |format|
-      format.js { render :nothing => true }  
-    end
+    redirect_to project_snippets_path(@project)
  end
 end
--- a/app/controllers/team_members_controller.rb
+++ b/app/controllers/team_members_controller.rb
@ -3,8 +3,8 @@ class TeamMembersController < ApplicationController

  # Authorize
  before_filter :add_project_abilities
-  before_filter :authorize_read_team_member!
-  before_filter :authorize_admin_team_member!, :only => [:new, :create, :destroy, :update] 
+  before_filter :authorize_read_project!
+  before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update] 

  def show
    @team_member = project.users_projects.find(params[:id])