Improve authorization for new/edit blob pages

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Improve authorization for new/edit blob pages
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Dmitriy Zaporozhets
1 parent 4645f464
Showing 4 changed files with 4 additions and 1 deletions Show diff stats
app/controllers/projects/blob_controller.rb
app/controllers/projects/edit_tree_controller.rb
app/controllers/projects/new_tree_controller.rb
app/views/projects/tree/_tree.html.haml
@@ -6,6 +6,7 @@ class Projects::BlobController &lt; Projects::ApplicationController
   before_filter :authorize_read_project!
   before_filter :authorize_code_access!
   before_filter :require_non_empty_project
+  before_filter :authorize_push!, only: [:destroy]
   before_filter :blob
 class Projects::EditTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
   before_filter :blob
+  before_filter :authorize_push!
   def show
     @last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha
 class Projects::NewTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
+  before_filter :authorize_push!
   def show
   end
@@ -9,7 +9,7 @@
         = link_to truncate(title, length: 40), project_tree_path(@project, path)
       - else
         = link_to title, '#'
-  - if @repository.branch_names.include?(@ref)
+  - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
     %li
       = link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
         %small
	@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController		@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController
6	before_filter :authorize_read_project!	6	before_filter :authorize_read_project!
7	before_filter :authorize_code_access!	7	before_filter :authorize_code_access!
8	before_filter :require_non_empty_project	8	before_filter :require_non_empty_project
		9	+ before_filter :authorize_push!, only: [:destroy]
9		10
10	before_filter :blob	11	before_filter :blob
11		12
1	class Projects::EditTreeController < Projects::BaseTreeController	1	class Projects::EditTreeController < Projects::BaseTreeController
2	before_filter :require_branch_head	2	before_filter :require_branch_head
3	before_filter :blob	3	before_filter :blob
		4	+ before_filter :authorize_push!
4		5
5	def show	6	def show
6	@last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha	7	@last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha
1	class Projects::NewTreeController < Projects::BaseTreeController	1	class Projects::NewTreeController < Projects::BaseTreeController
2	before_filter :require_branch_head	2	before_filter :require_branch_head
		3	+ before_filter :authorize_push!
3		4
4	def show	5	def show
5	end	6	end
	@@ -9,7 +9,7 @@		@@ -9,7 +9,7 @@
9	= link_to truncate(title, length: 40), project_tree_path(@project, path)	9	= link_to truncate(title, length: 40), project_tree_path(@project, path)
10	- else	10	- else
11	= link_to title, '#'	11	= link_to title, '#'
12	- - if @repository.branch_names.include?(@ref)	12	+ - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
13	%li	13	%li
14	= link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do	14	= link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
15	%small	15	%small