Abilities extended. Resources security improved
This commit is contained in:
Dmitriy Zaporozhets
parent
af82b6773b
commit
8c40aab120
16 changed files with 51 additions and 52 deletions
|
|
@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base
|
|||
return render_404 unless can?(current_user, action, project)
|
||||
end
|
||||
|
||||
def authorize_code_access!
|
||||
return render_404 unless can?(current_user, :download_code, project)
|
||||
end
|
||||
|
||||
def access_denied!
|
||||
render_404
|
||||
end
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ class CommitsController < ApplicationController
|
|||
# Authorize
|
||||
before_filter :add_project_abilities
|
||||
before_filter :authorize_read_project!
|
||||
before_filter :authorize_code_access!
|
||||
before_filter :require_non_empty_project
|
||||
before_filter :load_refs, :only => :index # load @branch, @tag & @ref
|
||||
before_filter :render_full_content
|
||||
|
|
|
|||
|
|
@ -126,12 +126,11 @@ class IssuesController < ApplicationController
|
|||
end
|
||||
|
||||
def authorize_modify_issue!
|
||||
can?(current_user, :modify_issue, @issue) ||
|
||||
@issue.assignee == current_user
|
||||
return render_404 unless can?(current_user, :modify_issue, @issue)
|
||||
end
|
||||
|
||||
def authorize_admin_issue!
|
||||
can?(current_user, :admin_issue, @issue)
|
||||
return render_404 unless can?(current_user, :admin_issue, @issue)
|
||||
end
|
||||
|
||||
def module_enabled
|
||||
|
|
|
|||
|
|
@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController
|
|||
end
|
||||
|
||||
def authorize_modify_merge_request!
|
||||
can?(current_user, :modify_merge_request, @merge_request) ||
|
||||
@merge_request.assignee == current_user
|
||||
return render_404 unless can?(current_user, :modify_merge_request, @merge_request)
|
||||
end
|
||||
|
||||
def authorize_admin_merge_request!
|
||||
can?(current_user, :admin_merge_request, @merge_request)
|
||||
return render_404 unless can?(current_user, :admin_merge_request, @merge_request)
|
||||
end
|
||||
|
||||
def module_enabled
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ class RefsController < ApplicationController
|
|||
# Authorize
|
||||
before_filter :add_project_abilities
|
||||
before_filter :authorize_read_project!
|
||||
before_filter :authorize_code_access!
|
||||
before_filter :require_non_empty_project
|
||||
|
||||
before_filter :ref
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController
|
|||
# Authorize
|
||||
before_filter :add_project_abilities
|
||||
before_filter :authorize_read_project!
|
||||
before_filter :authorize_code_access!
|
||||
before_filter :require_non_empty_project
|
||||
before_filter :render_full_content
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
class SnippetsController < ApplicationController
|
||||
before_filter :authenticate_user!
|
||||
before_filter :project
|
||||
before_filter :snippet, :only => [:show, :edit, :destroy, :update]
|
||||
layout "project"
|
||||
|
||||
# Authorize
|
||||
|
|
@ -41,11 +42,9 @@ class SnippetsController < ApplicationController
|
|||
end
|
||||
|
||||
def edit
|
||||
@snippet = @project.snippets.find(params[:id])
|
||||
end
|
||||
|
||||
def update
|
||||
@snippet = @project.snippets.find(params[:id])
|
||||
@snippet.update_attributes(params[:snippet])
|
||||
|
||||
if @snippet.valid?
|
||||
|
|
@ -56,15 +55,12 @@ class SnippetsController < ApplicationController
|
|||
end
|
||||
|
||||
def show
|
||||
@snippet = @project.snippets.find(params[:id])
|
||||
@notes = @snippet.notes
|
||||
@note = @project.notes.new(:noteable => @snippet)
|
||||
render_full_content
|
||||
end
|
||||
|
||||
def destroy
|
||||
@snippet = @project.snippets.find(params[:id])
|
||||
|
||||
return access_denied! unless can?(current_user, :admin_snippet, @snippet)
|
||||
|
||||
@snippet.destroy
|
||||
|
|
@ -73,12 +69,15 @@ class SnippetsController < ApplicationController
|
|||
end
|
||||
|
||||
protected
|
||||
def snippet
|
||||
@snippet ||= @project.snippets.find(params[:id])
|
||||
end
|
||||
|
||||
def authorize_modify_snippet!
|
||||
can?(current_user, :modify_snippet, @snippet)
|
||||
return render_404 unless can?(current_user, :modify_snippet, @snippet)
|
||||
end
|
||||
|
||||
def authorize_admin_snippet!
|
||||
can?(current_user, :admin_snippet, @snippet)
|
||||
return render_404 unless can?(current_user, :admin_snippet, @snippet)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ class WikisController < ApplicationController
|
|||
before_filter :project
|
||||
before_filter :add_project_abilities
|
||||
before_filter :authorize_read_wiki!
|
||||
before_filter :authorize_write_wiki!, :except => [:show, :destroy]
|
||||
before_filter :authorize_write_wiki!, :only => [:edit, :create, :history]
|
||||
before_filter :authorize_admin_wiki!, :only => :destroy
|
||||
layout "project"
|
||||
|
||||
|
|
@ -12,6 +12,11 @@ class WikisController < ApplicationController
|
|||
else
|
||||
@wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
|
||||
end
|
||||
|
||||
unless @wiki
|
||||
return render_404 unless can?(current_user, :write_wiki, @project)
|
||||
end
|
||||
|
||||
respond_to do |format|
|
||||
if @wiki
|
||||
format.html
|
||||
|
|
@ -51,18 +56,4 @@ class WikisController < ApplicationController
|
|||
format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
|
||||
end
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def authorize_read_wiki!
|
||||
can?(current_user, :read_wiki, @project)
|
||||
end
|
||||
|
||||
def authorize_write_wiki!
|
||||
can?(current_user, :write_wiki, @project)
|
||||
end
|
||||
|
||||
def authorize_admin_wiki!
|
||||
can?(current_user, :admin_wiki, @project)
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue