Auth for API

2012-09-10 09:06:11 +03:00 · 2012-09-10 09:06:11 +03:00 · b565f33472
parent 80685596d3
commit b565f33472
4 changed files with 27 additions and 0 deletions
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -21,5 +21,21 @@ module Gitlab
    def authenticate!
      error!({'message' => '401 Unauthorized'}, 401) unless current_user
    end
+
+    def authorize! action, subject
+      unless abilities.allowed?(current_user, action, subject)
+        error!({'message' => '403 Forbidden'}, 403)
+      end
+    end
+
+    private 
+
+    def abilities
+      @abilities ||= begin
+                       abilities = Six.new
+                       abilities << Ability
+                       abilities
+                     end
+    end
  end
 end
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@ -79,6 +79,8 @@ module Gitlab
      #   PUT /projects/:id/issues/:issue_id
      put ":id/issues/:issue_id" do
        @issue = user_project.issues.find(params[:issue_id])
+        authorize! :modify_issue, @issue
+
        parameters = {
          title: (params[:title] || @issue.title),
          description: (params[:description] || @issue.description),
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@ -61,6 +61,8 @@ module Gitlab
      # Example Request:
      #   PUT /projects/:id/milestones/:milestone_id
      put ":id/milestones/:milestone_id" do
+        authorize! :admin_milestone, user_project
+
        @milestone = user_project.milestones.find(params[:milestone_id])
        parameters = {
          title: (params[:title] || @milestone.title),
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@ -74,6 +74,7 @@ module Gitlab
      # Example Request:
      #   POST /projects/:id/users
      post ":id/users" do
+        authorize! :admin_project, user_project
        user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
        nil
      end
@ -87,6 +88,7 @@ module Gitlab
      # Example Request:
      #   PUT /projects/:id/add_users
      put ":id/users" do
+        authorize! :admin_project, user_project
        user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
        nil
      end
@ -99,6 +101,7 @@ module Gitlab
      # Example Request:
      #   DELETE /projects/:id/users
      delete ":id/users" do
+        authorize! :admin_project, user_project
        user_project.delete_users_ids_from_team(params[:user_ids].values)
        nil
      end
@ -186,6 +189,8 @@ module Gitlab
      #   PUT /projects/:id/snippets/:snippet_id
      put ":id/snippets/:snippet_id" do
        @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
        parameters = {
          title: (params[:title] || @snippet.title),
          file_name: (params[:file_name] || @snippet.file_name),
@ -209,6 +214,8 @@ module Gitlab
      #   DELETE /projects/:id/snippets/:snippet_id
      delete ":id/snippets/:snippet_id" do
        @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
        @snippet.destroy
      end