From 9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 29 Nov 2012 17:17:01 +0200 Subject: [PATCH] authorized_projects and authorized_groups methods for user --- app/controllers/dashboard_controller.rb | 6 ++++-- app/controllers/groups_controller.rb | 18 +++++++++++------- app/models/project.rb | 10 +++++----- app/models/user.rb | 8 ++++++-- 4 files changed, 26 insertions(+), 16 deletions(-) diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb index e01b586a..3d9b0940 100644 --- a/app/controllers/dashboard_controller.rb +++ b/app/controllers/dashboard_controller.rb @@ -5,8 +5,10 @@ class DashboardController < ApplicationController before_filter :event_filter, only: :index def index - @groups = current_user.accessed_groups + @groups = current_user.authorized_groups + @projects = @projects.page(params[:page]).per(30) + @events = Event.in_projects(current_user.project_ids) @events = @event_filter.apply_filter(@events) @events = @events.limit(20).offset(params[:offset] || 0) @@ -43,7 +45,7 @@ class DashboardController < ApplicationController protected def projects - @projects = current_user.projects_sorted_by_activity + @projects = current_user.authorized_projects.sorted_by_activity end def event_filter diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index cfa7e89f..880092e4 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -5,6 +5,9 @@ class GroupsController < ApplicationController before_filter :group before_filter :projects + # Authorize + before_filter :authorize_read_group! + def show @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0) @last_push = current_user.recent_push @@ -54,16 +57,17 @@ class GroupsController < ApplicationController end def projects - @projects ||= begin - if can?(current_user, :manage_group, @group) - @group.projects - else - current_user.projects.where(namespace_id: @group.id) - end.sorted_by_activity.all - end + @projects ||= group.projects.authorized_for(current_user).sorted_by_activity end def project_ids projects.map(&:id) end + + # Dont allow unauthorized access to group + def authorize_read_group! + unless projects.present? or can?(current_user, :manage_group, @group) + return render_404 + end + end end diff --git a/app/models/project.rb b/app/models/project.rb index 68d09cae..1d03d065 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -76,6 +76,11 @@ class Project < ActiveRecord::Base scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") } class << self + def authorized_for user + projects = includes(:users_projects, :namespace) + projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id) + end + def active joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC") end @@ -285,9 +290,4 @@ class Project < ActiveRecord::Base merge_requests end end - - def self.authorized_for user - projects = includes(:users_projects, :namespace) - projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id) - end end diff --git a/app/models/user.rb b/app/models/user.rb index 4ec4c277..3f2d7c92 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -124,11 +124,15 @@ class User < ActiveRecord::Base end end - def accessed_groups - @accessed_groups ||= begin + def authorized_groups + @authorized_groups ||= begin groups = Group.where(id: self.projects.pluck(:namespace_id)).all groups = groups + self.groups groups.uniq end end + + def authorized_projects + Project.authorized_for(self) + end end