Auth for API

This commit is contained in:
randx 2012-09-10 09:06:11 +03:00
parent 80685596d3
commit b565f33472
4 changed files with 27 additions and 0 deletions

View file

@ -21,5 +21,21 @@ module Gitlab
def authenticate! def authenticate!
error!({'message' => '401 Unauthorized'}, 401) unless current_user error!({'message' => '401 Unauthorized'}, 401) unless current_user
end end
def authorize! action, subject
unless abilities.allowed?(current_user, action, subject)
error!({'message' => '403 Forbidden'}, 403)
end
end
private
def abilities
@abilities ||= begin
abilities = Six.new
abilities << Ability
abilities
end
end
end end
end end

View file

@ -79,6 +79,8 @@ module Gitlab
# PUT /projects/:id/issues/:issue_id # PUT /projects/:id/issues/:issue_id
put ":id/issues/:issue_id" do put ":id/issues/:issue_id" do
@issue = user_project.issues.find(params[:issue_id]) @issue = user_project.issues.find(params[:issue_id])
authorize! :modify_issue, @issue
parameters = { parameters = {
title: (params[:title] || @issue.title), title: (params[:title] || @issue.title),
description: (params[:description] || @issue.description), description: (params[:description] || @issue.description),

View file

@ -61,6 +61,8 @@ module Gitlab
# Example Request: # Example Request:
# PUT /projects/:id/milestones/:milestone_id # PUT /projects/:id/milestones/:milestone_id
put ":id/milestones/:milestone_id" do put ":id/milestones/:milestone_id" do
authorize! :admin_milestone, user_project
@milestone = user_project.milestones.find(params[:milestone_id]) @milestone = user_project.milestones.find(params[:milestone_id])
parameters = { parameters = {
title: (params[:title] || @milestone.title), title: (params[:title] || @milestone.title),

View file

@ -74,6 +74,7 @@ module Gitlab
# Example Request: # Example Request:
# POST /projects/:id/users # POST /projects/:id/users
post ":id/users" do post ":id/users" do
authorize! :admin_project, user_project
user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access]) user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
nil nil
end end
@ -87,6 +88,7 @@ module Gitlab
# Example Request: # Example Request:
# PUT /projects/:id/add_users # PUT /projects/:id/add_users
put ":id/users" do put ":id/users" do
authorize! :admin_project, user_project
user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access]) user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
nil nil
end end
@ -99,6 +101,7 @@ module Gitlab
# Example Request: # Example Request:
# DELETE /projects/:id/users # DELETE /projects/:id/users
delete ":id/users" do delete ":id/users" do
authorize! :admin_project, user_project
user_project.delete_users_ids_from_team(params[:user_ids].values) user_project.delete_users_ids_from_team(params[:user_ids].values)
nil nil
end end
@ -186,6 +189,8 @@ module Gitlab
# PUT /projects/:id/snippets/:snippet_id # PUT /projects/:id/snippets/:snippet_id
put ":id/snippets/:snippet_id" do put ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id]) @snippet = user_project.snippets.find(params[:snippet_id])
authorize! :modify_snippet, @snippet
parameters = { parameters = {
title: (params[:title] || @snippet.title), title: (params[:title] || @snippet.title),
file_name: (params[:file_name] || @snippet.file_name), file_name: (params[:file_name] || @snippet.file_name),
@ -209,6 +214,8 @@ module Gitlab
# DELETE /projects/:id/snippets/:snippet_id # DELETE /projects/:id/snippets/:snippet_id
delete ":id/snippets/:snippet_id" do delete ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id]) @snippet = user_project.snippets.find(params[:snippet_id])
authorize! :modify_snippet, @snippet
@snippet.destroy @snippet.destroy
end end