From 237ddd60244526ab5869c78cc086cec637544399 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Fri, 24 Jan 2014 21:29:52 +0200
Subject: [PATCH] Improve authorization for new/edit blob pages

---
 app/controllers/projects/blob_controller.rb      | 1 +
 app/controllers/projects/edit_tree_controller.rb | 1 +
 app/controllers/projects/new_tree_controller.rb  | 1 +
 app/views/projects/tree/_tree.html.haml          | 2 +-
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 2aa7347..a1a8bed 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController
   before_filter :authorize_read_project!
   before_filter :authorize_code_access!
   before_filter :require_non_empty_project
+  before_filter :authorize_push!, only: [:destroy]
 
   before_filter :blob
 
diff --git a/app/controllers/projects/edit_tree_controller.rb b/app/controllers/projects/edit_tree_controller.rb
index aa46313..6bd1a45 100644
--- a/app/controllers/projects/edit_tree_controller.rb
+++ b/app/controllers/projects/edit_tree_controller.rb
@@ -1,6 +1,7 @@
 class Projects::EditTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
   before_filter :blob
+  before_filter :authorize_push!
 
   def show
     @last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha
diff --git a/app/controllers/projects/new_tree_controller.rb b/app/controllers/projects/new_tree_controller.rb
index 2f3647a..3a51a78 100644
--- a/app/controllers/projects/new_tree_controller.rb
+++ b/app/controllers/projects/new_tree_controller.rb
@@ -1,5 +1,6 @@
 class Projects::NewTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
+  before_filter :authorize_push!
 
   def show
   end
diff --git a/app/views/projects/tree/_tree.html.haml b/app/views/projects/tree/_tree.html.haml
index 4e80872..ee850e2 100644
--- a/app/views/projects/tree/_tree.html.haml
+++ b/app/views/projects/tree/_tree.html.haml
@@ -9,7 +9,7 @@
         = link_to truncate(title, length: 40), project_tree_path(@project, path)
       - else
         = link_to title, '#'
-  - if @repository.branch_names.include?(@ref)
+  - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
     %li
       = link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
         %small
--
libgit2 0.21.2