Abilities extended. Resources security improved
This commit is contained in:
parent
af82b6773b
commit
8c40aab120
16 changed files with 51 additions and 52 deletions
|
@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base
|
||||||
return render_404 unless can?(current_user, action, project)
|
return render_404 unless can?(current_user, action, project)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def authorize_code_access!
|
||||||
|
return render_404 unless can?(current_user, :download_code, project)
|
||||||
|
end
|
||||||
|
|
||||||
def access_denied!
|
def access_denied!
|
||||||
render_404
|
render_404
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,6 +7,7 @@ class CommitsController < ApplicationController
|
||||||
# Authorize
|
# Authorize
|
||||||
before_filter :add_project_abilities
|
before_filter :add_project_abilities
|
||||||
before_filter :authorize_read_project!
|
before_filter :authorize_read_project!
|
||||||
|
before_filter :authorize_code_access!
|
||||||
before_filter :require_non_empty_project
|
before_filter :require_non_empty_project
|
||||||
before_filter :load_refs, :only => :index # load @branch, @tag & @ref
|
before_filter :load_refs, :only => :index # load @branch, @tag & @ref
|
||||||
before_filter :render_full_content
|
before_filter :render_full_content
|
||||||
|
|
|
@ -126,12 +126,11 @@ class IssuesController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_modify_issue!
|
def authorize_modify_issue!
|
||||||
can?(current_user, :modify_issue, @issue) ||
|
return render_404 unless can?(current_user, :modify_issue, @issue)
|
||||||
@issue.assignee == current_user
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_admin_issue!
|
def authorize_admin_issue!
|
||||||
can?(current_user, :admin_issue, @issue)
|
return render_404 unless can?(current_user, :admin_issue, @issue)
|
||||||
end
|
end
|
||||||
|
|
||||||
def module_enabled
|
def module_enabled
|
||||||
|
|
|
@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_modify_merge_request!
|
def authorize_modify_merge_request!
|
||||||
can?(current_user, :modify_merge_request, @merge_request) ||
|
return render_404 unless can?(current_user, :modify_merge_request, @merge_request)
|
||||||
@merge_request.assignee == current_user
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_admin_merge_request!
|
def authorize_admin_merge_request!
|
||||||
can?(current_user, :admin_merge_request, @merge_request)
|
return render_404 unless can?(current_user, :admin_merge_request, @merge_request)
|
||||||
end
|
end
|
||||||
|
|
||||||
def module_enabled
|
def module_enabled
|
||||||
|
|
|
@ -4,6 +4,7 @@ class RefsController < ApplicationController
|
||||||
# Authorize
|
# Authorize
|
||||||
before_filter :add_project_abilities
|
before_filter :add_project_abilities
|
||||||
before_filter :authorize_read_project!
|
before_filter :authorize_read_project!
|
||||||
|
before_filter :authorize_code_access!
|
||||||
before_filter :require_non_empty_project
|
before_filter :require_non_empty_project
|
||||||
|
|
||||||
before_filter :ref
|
before_filter :ref
|
||||||
|
|
|
@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController
|
||||||
# Authorize
|
# Authorize
|
||||||
before_filter :add_project_abilities
|
before_filter :add_project_abilities
|
||||||
before_filter :authorize_read_project!
|
before_filter :authorize_read_project!
|
||||||
|
before_filter :authorize_code_access!
|
||||||
before_filter :require_non_empty_project
|
before_filter :require_non_empty_project
|
||||||
before_filter :render_full_content
|
before_filter :render_full_content
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
class SnippetsController < ApplicationController
|
class SnippetsController < ApplicationController
|
||||||
before_filter :authenticate_user!
|
before_filter :authenticate_user!
|
||||||
before_filter :project
|
before_filter :project
|
||||||
|
before_filter :snippet, :only => [:show, :edit, :destroy, :update]
|
||||||
layout "project"
|
layout "project"
|
||||||
|
|
||||||
# Authorize
|
# Authorize
|
||||||
|
@ -41,11 +42,9 @@ class SnippetsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def edit
|
def edit
|
||||||
@snippet = @project.snippets.find(params[:id])
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def update
|
def update
|
||||||
@snippet = @project.snippets.find(params[:id])
|
|
||||||
@snippet.update_attributes(params[:snippet])
|
@snippet.update_attributes(params[:snippet])
|
||||||
|
|
||||||
if @snippet.valid?
|
if @snippet.valid?
|
||||||
|
@ -56,15 +55,12 @@ class SnippetsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def show
|
def show
|
||||||
@snippet = @project.snippets.find(params[:id])
|
|
||||||
@notes = @snippet.notes
|
@notes = @snippet.notes
|
||||||
@note = @project.notes.new(:noteable => @snippet)
|
@note = @project.notes.new(:noteable => @snippet)
|
||||||
render_full_content
|
render_full_content
|
||||||
end
|
end
|
||||||
|
|
||||||
def destroy
|
def destroy
|
||||||
@snippet = @project.snippets.find(params[:id])
|
|
||||||
|
|
||||||
return access_denied! unless can?(current_user, :admin_snippet, @snippet)
|
return access_denied! unless can?(current_user, :admin_snippet, @snippet)
|
||||||
|
|
||||||
@snippet.destroy
|
@snippet.destroy
|
||||||
|
@ -73,12 +69,15 @@ class SnippetsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
protected
|
protected
|
||||||
|
def snippet
|
||||||
|
@snippet ||= @project.snippets.find(params[:id])
|
||||||
|
end
|
||||||
|
|
||||||
def authorize_modify_snippet!
|
def authorize_modify_snippet!
|
||||||
can?(current_user, :modify_snippet, @snippet)
|
return render_404 unless can?(current_user, :modify_snippet, @snippet)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authorize_admin_snippet!
|
def authorize_admin_snippet!
|
||||||
can?(current_user, :admin_snippet, @snippet)
|
return render_404 unless can?(current_user, :admin_snippet, @snippet)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,7 +2,7 @@ class WikisController < ApplicationController
|
||||||
before_filter :project
|
before_filter :project
|
||||||
before_filter :add_project_abilities
|
before_filter :add_project_abilities
|
||||||
before_filter :authorize_read_wiki!
|
before_filter :authorize_read_wiki!
|
||||||
before_filter :authorize_write_wiki!, :except => [:show, :destroy]
|
before_filter :authorize_write_wiki!, :only => [:edit, :create, :history]
|
||||||
before_filter :authorize_admin_wiki!, :only => :destroy
|
before_filter :authorize_admin_wiki!, :only => :destroy
|
||||||
layout "project"
|
layout "project"
|
||||||
|
|
||||||
|
@ -12,6 +12,11 @@ class WikisController < ApplicationController
|
||||||
else
|
else
|
||||||
@wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
|
@wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
|
||||||
end
|
end
|
||||||
|
|
||||||
|
unless @wiki
|
||||||
|
return render_404 unless can?(current_user, :write_wiki, @project)
|
||||||
|
end
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
if @wiki
|
if @wiki
|
||||||
format.html
|
format.html
|
||||||
|
@ -51,18 +56,4 @@ class WikisController < ApplicationController
|
||||||
format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
|
format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
protected
|
|
||||||
|
|
||||||
def authorize_read_wiki!
|
|
||||||
can?(current_user, :read_wiki, @project)
|
|
||||||
end
|
|
||||||
|
|
||||||
def authorize_write_wiki!
|
|
||||||
can?(current_user, :write_wiki, @project)
|
|
||||||
end
|
|
||||||
|
|
||||||
def authorize_admin_wiki!
|
|
||||||
can?(current_user, :admin_wiki, @project)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,7 +5,7 @@ class Ability
|
||||||
when "Issue" then issue_abilities(object, subject)
|
when "Issue" then issue_abilities(object, subject)
|
||||||
when "Note" then note_abilities(object, subject)
|
when "Note" then note_abilities(object, subject)
|
||||||
when "Snippet" then snippet_abilities(object, subject)
|
when "Snippet" then snippet_abilities(object, subject)
|
||||||
when "Wiki" then wiki_abilities(object, subject)
|
when "MergeRequest" then merge_request_abilities(object, subject)
|
||||||
else []
|
else []
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -23,13 +23,13 @@ class Ability
|
||||||
:read_note,
|
:read_note,
|
||||||
:write_project,
|
:write_project,
|
||||||
:write_issue,
|
:write_issue,
|
||||||
:write_snippet,
|
|
||||||
:write_merge_request,
|
|
||||||
:write_note
|
:write_note
|
||||||
] if project.guest_access_for?(user)
|
] if project.guest_access_for?(user)
|
||||||
|
|
||||||
rules << [
|
rules << [
|
||||||
:download_code,
|
:download_code,
|
||||||
|
:write_merge_request,
|
||||||
|
:write_snippet
|
||||||
] if project.report_access_for?(user)
|
] if project.report_access_for?(user)
|
||||||
|
|
||||||
rules << [
|
rules << [
|
||||||
|
@ -39,7 +39,7 @@ class Ability
|
||||||
rules << [
|
rules << [
|
||||||
:modify_issue,
|
:modify_issue,
|
||||||
:modify_snippet,
|
:modify_snippet,
|
||||||
:modify_wiki,
|
:modify_merge_request,
|
||||||
:admin_project,
|
:admin_project,
|
||||||
:admin_issue,
|
:admin_issue,
|
||||||
:admin_snippet,
|
:admin_snippet,
|
||||||
|
@ -47,7 +47,7 @@ class Ability
|
||||||
:admin_merge_request,
|
:admin_merge_request,
|
||||||
:admin_note,
|
:admin_note,
|
||||||
:admin_wiki
|
:admin_wiki
|
||||||
] if project.master_access_for?(user)
|
] if project.master_access_for?(user) || project.owner == user
|
||||||
|
|
||||||
|
|
||||||
rules.flatten
|
rules.flatten
|
||||||
|
@ -63,6 +63,12 @@ class Ability
|
||||||
:"modify_#{name}",
|
:"modify_#{name}",
|
||||||
:"admin_#{name}"
|
:"admin_#{name}"
|
||||||
]
|
]
|
||||||
|
elsif subject.respond_to?(:assignee) && subject.assignee == user
|
||||||
|
[
|
||||||
|
:"read_#{name}",
|
||||||
|
:"write_#{name}",
|
||||||
|
:"modify_#{name}",
|
||||||
|
]
|
||||||
else
|
else
|
||||||
subject.respond_to?(:project) ?
|
subject.respond_to?(:project) ?
|
||||||
project_abilities(user, subject.project) : []
|
project_abilities(user, subject.project) : []
|
||||||
|
|
|
@ -188,7 +188,7 @@ class Project < ActiveRecord::Base
|
||||||
elsif access.include?(:write)
|
elsif access.include?(:write)
|
||||||
{ :project_access => UsersProject::DEVELOPER }
|
{ :project_access => UsersProject::DEVELOPER }
|
||||||
else
|
else
|
||||||
{ :project_access => UsersProject::GUEST }
|
{ :project_access => UsersProject::REPORTER }
|
||||||
end
|
end
|
||||||
opts = { :user => user }
|
opts = { :user => user }
|
||||||
opts.merge!(access)
|
opts.merge!(access)
|
||||||
|
|
|
@ -4,15 +4,17 @@
|
||||||
%h4 Guest
|
%h4 Guest
|
||||||
%ul
|
%ul
|
||||||
%li Create new issue
|
%li Create new issue
|
||||||
%li Create new merge request
|
%li Leave comments
|
||||||
%li Write on project wall
|
%li Write on project wall
|
||||||
|
|
||||||
%h4 Reporter
|
%h4 Reporter
|
||||||
%ul
|
%ul
|
||||||
%li Pull project code
|
%li Pull project code
|
||||||
|
%li Download project
|
||||||
%li Create new issue
|
%li Create new issue
|
||||||
%li Create new merge request
|
%li Create new merge request
|
||||||
%li Write on project wall
|
%li Write on project wall
|
||||||
|
%li Create a code snippets
|
||||||
|
|
||||||
|
|
||||||
%h4 Developer
|
%h4 Developer
|
||||||
|
@ -25,6 +27,7 @@
|
||||||
%li Create new issue
|
%li Create new issue
|
||||||
%li Create new merge request
|
%li Create new merge request
|
||||||
%li Write on project wall
|
%li Write on project wall
|
||||||
|
%li Write a wiki
|
||||||
|
|
||||||
%h4 Master
|
%h4 Master
|
||||||
%ul
|
%ul
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
%li.wll{ :id => dom_id(issue), :class => "issue #{issue.critical ? "critical" : ""}", :url => project_issue_path(issue.project, issue) }
|
%li.wll{ :id => dom_id(issue), :class => "issue #{issue.critical ? "critical" : ""}", :url => project_issue_path(issue.project, issue) }
|
||||||
.right
|
.right
|
||||||
- if can? current_user, :write_issue, issue
|
- if can? current_user, :modify_issue, issue
|
||||||
- if issue.closed
|
- if issue.closed
|
||||||
= link_to 'Reopen', project_issue_path(issue.project, issue, :issue => {:closed => false }, :status_only => true), :method => :put, :class => "btn small", :remote => true
|
= link_to 'Reopen', project_issue_path(issue.project, issue, :issue => {:closed => false }, :status_only => true), :method => :put, :class => "btn small", :remote => true
|
||||||
- else
|
- else
|
||||||
= link_to 'Resolve', project_issue_path(issue.project, issue, :issue => {:closed => true }, :status_only => true), :method => :put, :class => "success btn small", :remote => true
|
= link_to 'Resolve', project_issue_path(issue.project, issue, :issue => {:closed => true }, :status_only => true), :method => :put, :class => "success btn small", :remote => true
|
||||||
- if can? current_user, :write_issue, issue
|
|
||||||
= link_to 'Edit', edit_project_issue_path(issue.project, issue), :class => "btn small edit-issue-link", :remote => true
|
= link_to 'Edit', edit_project_issue_path(issue.project, issue), :class => "btn small edit-issue-link", :remote => true
|
||||||
-#- if can?(current_user, :admin_issue, @project) || issue.author == current_user
|
-#- if can?(current_user, :admin_issue, @project) || issue.author == current_user
|
||||||
= link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}"
|
= link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}"
|
||||||
|
|
|
@ -4,8 +4,9 @@
|
||||||
Project
|
Project
|
||||||
|
|
||||||
- if @project.repo_exists?
|
- if @project.repo_exists?
|
||||||
= link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class
|
- if can? current_user, :download_code, @project
|
||||||
= link_to "Commits", project_commits_path(@project), :class => commit_tab_class
|
= link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class
|
||||||
|
= link_to "Commits", project_commits_path(@project), :class => commit_tab_class
|
||||||
|
|
||||||
= link_to "Network", graph_project_path(@project), :class => current_page?(:controller => "projects", :action => "graph", :id => @project) ? "current" : nil
|
= link_to "Network", graph_project_path(@project), :class => current_page?(:controller => "projects", :action => "graph", :id => @project) ? "current" : nil
|
||||||
- if @project.issues_enabled
|
- if @project.issues_enabled
|
||||||
|
|
|
@ -10,12 +10,11 @@
|
||||||
= @merge_request.created_at.stamp("Aug 21, 2011")
|
= @merge_request.created_at.stamp("Aug 21, 2011")
|
||||||
|
|
||||||
%span.right
|
%span.right
|
||||||
- if can?(current_user, :admin_project, @project) || @merge_request.author == current_user
|
- if can?(current_user, :modify_merge_request, @merge_request)
|
||||||
- if @merge_request.closed
|
- if @merge_request.closed
|
||||||
= link_to 'Reopen', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => false }, :status_only => true), :method => :put, :class => "btn"
|
= link_to 'Reopen', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => false }, :status_only => true), :method => :put, :class => "btn"
|
||||||
- else
|
- else
|
||||||
= link_to 'Close', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => true }, :status_only => true), :method => :put, :class => "btn", :title => "Close merge request"
|
= link_to 'Close', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => true }, :status_only => true), :method => :put, :class => "btn", :title => "Close merge request"
|
||||||
- if can?(current_user, :admin_project, @project) || @merge_request.author == current_user
|
|
||||||
= link_to edit_project_merge_request_path(@project, @merge_request), :class => "btn small" do
|
= link_to edit_project_merge_request_path(@project, @merge_request), :class => "btn small" do
|
||||||
Edit
|
Edit
|
||||||
|
|
||||||
|
|
|
@ -11,23 +11,19 @@
|
||||||
%p
|
%p
|
||||||
- if @project.issues_enabled
|
- if @project.issues_enabled
|
||||||
%span
|
%span
|
||||||
Assigned issues:
|
Assigned Issues:
|
||||||
= current_user.assigned_issues.opened.count
|
= current_user.assigned_issues.opened.count
|
||||||
%br
|
%br
|
||||||
- if @project.merge_requests_enabled
|
- if @project.merge_requests_enabled
|
||||||
%span
|
%span
|
||||||
Assigned merge request:
|
Assigned Requests:
|
||||||
= current_user.assigned_merge_requests.opened.count
|
|
||||||
%br
|
|
||||||
%span
|
|
||||||
Your merge requests:
|
|
||||||
= current_user.assigned_merge_requests.opened.count
|
= current_user.assigned_merge_requests.opened.count
|
||||||
%br
|
%br
|
||||||
%br
|
%br
|
||||||
- if @project.merge_requests_enabled
|
- if @project.merge_requests_enabled && can?(current_user, :write_merge_request, @project)
|
||||||
= link_to new_project_merge_request_path(@project), :title => "New Merge Request", :class => "btn small padded" do
|
= link_to new_project_merge_request_path(@project), :title => "New Merge Request", :class => "btn small padded" do
|
||||||
Merge Request
|
Merge Request
|
||||||
- if @project.issues_enabled
|
- if @project.issues_enabled && can?(current_user, :write_issue, @project)
|
||||||
= link_to new_project_issue_path(@project), :title => "New Issue", :class => "btn small" do
|
= link_to new_project_issue_path(@project), :title => "New Issue", :class => "btn small" do
|
||||||
Issue
|
Issue
|
||||||
|
|
||||||
|
|
|
@ -4,13 +4,13 @@
|
||||||
- if can? current_user, :write_wiki, @project
|
- if can? current_user, :write_wiki, @project
|
||||||
= link_to history_project_wiki_path(@project, @wiki), :class => "btn small padded" do
|
= link_to history_project_wiki_path(@project, @wiki), :class => "btn small padded" do
|
||||||
History
|
History
|
||||||
= link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do
|
= link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do
|
||||||
Edit
|
Edit
|
||||||
%hr
|
%hr
|
||||||
|
|
||||||
= markdown_to_html @wiki.content
|
= markdown_to_html @wiki.content
|
||||||
|
|
||||||
%p.time Last edited by #{@wiki.user.name}, in #{time_ago_in_words @wiki.created_at}
|
%p.time Last edited by #{@wiki.user.name}, in #{time_ago_in_words @wiki.created_at}
|
||||||
- if can? current_user, :write_wiki, @project
|
- if can? current_user, :admin_wiki, @project
|
||||||
= link_to project_wiki_path(@project, @wiki), :confirm => "Are you sure you want to delete this page?", :method => :delete do
|
= link_to project_wiki_path(@project, @wiki), :confirm => "Are you sure you want to delete this page?", :method => :delete do
|
||||||
Delete this page
|
Delete this page
|
||||||
|
|
Loading…
Reference in a new issue