Abilities refactoring

This commit is contained in:
Dmitriy Zaporozhets 2011-12-15 23:57:46 +02:00
parent 7a9fc48080
commit ccc9bed893
7 changed files with 83 additions and 8 deletions

View file

@ -6,8 +6,18 @@ class IssuesController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
# Allow read any issue
before_filter :authorize_read_issue! before_filter :authorize_read_issue!
before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
# Allow write(create) issue
before_filter :authorize_write_issue!, :only => [:new, :create]
# Allow modify issue
before_filter :authorize_modify_issue!, :only => [:close, :edit, :update, :sort]
# Allow destroy issue
before_filter :authorize_admin_issue!, :only => [:destroy]
respond_to :js, :html respond_to :js, :html
@ -115,4 +125,13 @@ class IssuesController < ApplicationController
def issue def issue
@issue ||= @project.issues.find(params[:id]) @issue ||= @project.issues.find(params[:id])
end end
def authorize_modify_issue!
can?(current_user, :modify_issue, @issue) ||
@issue.assignee == current_user
end
def authorize_admin_issue!
can?(current_user, :admin_issue, @issue)
end
end end

View file

@ -6,8 +6,18 @@ class MergeRequestsController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_project!
before_filter :authorize_write_project!, :only => [:new, :create, :edit, :update] # Allow read any merge_request
before_filter :authorize_read_merge_request!
# Allow write(create) merge_request
before_filter :authorize_write_merge_request!, :only => [:new, :create]
# Allow modify merge_request
before_filter :authorize_modify_merge_request!, :only => [:close, :edit, :update, :sort]
# Allow destroy merge_request
before_filter :authorize_admin_merge_request!, :only => [:destroy]
def index def index
@merge_requests = @project.merge_requests @merge_requests = @project.merge_requests
@ -85,4 +95,13 @@ class MergeRequestsController < ApplicationController
def merge_request def merge_request
@merge_request ||= @project.merge_requests.find(params[:id]) @merge_request ||= @project.merge_requests.find(params[:id])
end end
def authorize_modify_merge_request!
can?(current_user, :modify_merge_request, @merge_request) ||
@merge_request.assignee == current_user
end
def authorize_admin_merge_request!
can?(current_user, :admin_merge_request, @merge_request)
end
end end

View file

@ -3,6 +3,8 @@ class NotesController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_note!
before_filter :authorize_write_note!, :only => [:create] before_filter :authorize_write_note!, :only => [:create]
respond_to :js respond_to :js

View file

@ -5,8 +5,18 @@ class SnippetsController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
# Allow read any snippet
before_filter :authorize_read_snippet! before_filter :authorize_read_snippet!
before_filter :authorize_write_snippet!, :only => [:new, :create, :close, :edit, :update, :sort]
# Allow write(create) snippet
before_filter :authorize_write_snippet!, :only => [:new, :create]
# Allow modify snippet
before_filter :authorize_modify_snippet!, :only => [:edit, :update]
# Allow destroy snippet
before_filter :authorize_admin_snippet!, :only => [:destroy]
respond_to :html respond_to :html
@ -60,4 +70,14 @@ class SnippetsController < ApplicationController
redirect_to project_snippets_path(@project) redirect_to project_snippets_path(@project)
end end
protected
def authorize_modify_snippet!
can?(current_user, :modify_snippet, @snippet)
end
def authorize_admin_snippet!
can?(current_user, :admin_snippet, @snippet)
end
end end

View file

@ -5,7 +5,7 @@ class TeamMembersController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update] before_filter :authorize_admin_project!, :except => [:show]
def show def show
@team_member = project.users_projects.find(params[:id]) @team_member = project.users_projects.find(params[:id])

View file

@ -19,7 +19,7 @@ class Ability
:read_team_member, :read_team_member,
:read_merge_request, :read_merge_request,
:read_note :read_note
] if project.readers.include?(user) ] if project.allow_read_for?(user)
rules << [ rules << [
:write_project, :write_project,
@ -27,16 +27,18 @@ class Ability
:write_snippet, :write_snippet,
:write_merge_request, :write_merge_request,
:write_note :write_note
] if project.writers.include?(user) ] if project.allow_write_for?(user)
rules << [ rules << [
:modify_issue,
:modify_snippet,
:admin_project, :admin_project,
:admin_issue, :admin_issue,
:admin_snippet, :admin_snippet,
:admin_team_member, :admin_team_member,
:admin_merge_request, :admin_merge_request,
:admin_note :admin_note
] if project.admins.include?(user) ] if project.allow_admin_for?(user)
rules.flatten rules.flatten
end end
@ -48,6 +50,7 @@ class Ability
[ [
:"read_#{name}", :"read_#{name}",
:"write_#{name}", :"write_#{name}",
:"modify_#{name}",
:"admin_#{name}" :"admin_#{name}"
] ]
else else

View file

@ -161,6 +161,18 @@ class Project < ActiveRecord::Base
@admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user) @admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
end end
def allow_read_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
end
def allow_write_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
end
def allow_admin_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
end
def root_ref def root_ref
default_branch || "master" default_branch || "master"
end end