Download as
Browse Code »

Commit 237ddd60244526ab5869c78cc086cec637544399

Authored by Dmitriy Zaporozhets
1 parent 4645f464
Exists in spb-stable and in 3 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb

Improve authorization for new/edit blob pages 

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Showing 4 changed files with 4 additions and 1 deletions   Show diff stats
app/controllers/projects/blob_controller.rb
  Diff comments   View file @237ddd6
... ... @@ -6,6 +6,7 @@ class Projects::BlobController &lt; Projects::ApplicationController
6 6 before_filter :authorize_read_project!
7 7 before_filter :authorize_code_access!
8 8 before_filter :require_non_empty_project
  9 + before_filter :authorize_push!, only: [:destroy]
9 10  
10 11 before_filter :blob
11 12  
... ...
app/controllers/projects/edit_tree_controller.rb
  Diff comments   View file @237ddd6
1 1 class Projects::EditTreeController < Projects::BaseTreeController
2 2 before_filter :require_branch_head
3 3 before_filter :blob
  4 + before_filter :authorize_push!
4 5  
5 6 def show
6 7 @last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha
... ...
app/controllers/projects/new_tree_controller.rb
  Diff comments   View file @237ddd6
1 1 class Projects::NewTreeController < Projects::BaseTreeController
2 2 before_filter :require_branch_head
  3 + before_filter :authorize_push!
3 4  
4 5 def show
5 6 end
... ...
app/views/projects/tree/_tree.html.haml
  Diff comments   View file @237ddd6
... ... @@ -9,7 +9,7 @@
9 9 = link_to truncate(title, length: 40), project_tree_path(@project, path)
10 10 - else
11 11 = link_to title, '#'
12   - - if @repository.branch_names.include?(@ref)
  12 + - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
13 13 %li
14 14 = link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
15 15 %small
... ...