Fix mass-assignment. Dont allow users w/o access to create team

Dmitriy Zaporozhets
1 parent 70e05801
Showing 3 changed files with 9 additions and 8 deletions Show diff stats
app/controllers/application_controller.rb
app/controllers/teams_controller.rb
app/models/user.rb
@@ -94,6 +94,10 @@ class ApplicationController &lt; ActionController::Base
     return access_denied! unless can?(current_user, :download_code, project)
   end
  
+  def authorize_create_team!
+    return access_denied! unless can?(current_user, :create_team, nil)
+  end
+
   def authorize_manage_user_team!
     return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)
   end
 class TeamsController < ApplicationController
   # Authorize
-  before_filter :authorize_manage_user_team!
-  before_filter :authorize_admin_user_team!
+  before_filter :authorize_create_team!, only: [:new, :create]
+  before_filter :authorize_manage_user_team!, only: [:edit, :update]
+  before_filter :authorize_admin_user_team!, only: [:destroy]
  
-  # Skip access control on public section
-  skip_before_filter :authorize_manage_user_team!, only: [:index, :show, :new, :destroy, :create, :search, :issues, :merge_requests]
-  skip_before_filter :authorize_admin_user_team!, only: [:index, :show, :new, :create, :search, :issues, :merge_requests]
-
-  layout 'user_team',       only: [:show, :edit, :update, :destroy, :issues, :merge_requests, :search]
+  layout 'user_team', except: [:new, :create]
  
   def index
     @teams = current_user.user_teams.order('name ASC')
@@ -40,7 +40,7 @@ class User &lt; ActiveRecord::Base
   attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
                   :skype, :linkedin, :twitter, :dark_scheme, :theme_id, :force_random_password,
                   :extern_uid, :provider, as: [:default, :admin]
-  attr_accessible :projects_limit, as: :admin
+  attr_accessible :projects_limit, :can_create_team, :can_create_group, as: :admin
  
   attr_accessor :force_random_password
...	...	@@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base
94	94	return access_denied! unless can?(current_user, :download_code, project)
95	95	end
96	96
	97	+ def authorize_create_team!
	98	+ return access_denied! unless can?(current_user, :create_team, nil)
	99	+ end
	100	+
97	101	def authorize_manage_user_team!
98	102	return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)
99	103	end
...	...
1	1	class TeamsController < ApplicationController
2	2	# Authorize
3		- before_filter :authorize_manage_user_team!
4		- before_filter :authorize_admin_user_team!
	3	+ before_filter :authorize_create_team!, only: [:new, :create]
	4	+ before_filter :authorize_manage_user_team!, only: [:edit, :update]
	5	+ before_filter :authorize_admin_user_team!, only: [:destroy]
5	6
6		- # Skip access control on public section
7		- skip_before_filter :authorize_manage_user_team!, only: [:index, :show, :new, :destroy, :create, :search, :issues, :merge_requests]
8		- skip_before_filter :authorize_admin_user_team!, only: [:index, :show, :new, :create, :search, :issues, :merge_requests]
9		-
10		- layout 'user_team', only: [:show, :edit, :update, :destroy, :issues, :merge_requests, :search]
	7	+ layout 'user_team', except: [:new, :create]
11	8
12	9	def index
13	10	@teams = current_user.user_teams.order('name ASC')
...	...
...	...	@@ -40,7 +40,7 @@ class User < ActiveRecord::Base
40	40	attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
41	41	:skype, :linkedin, :twitter, :dark_scheme, :theme_id, :force_random_password,
42	42	:extern_uid, :provider, as: [:default, :admin]
43		- attr_accessible :projects_limit, as: :admin
	43	+ attr_accessible :projects_limit, :can_create_team, :can_create_group, as: :admin
44	44
45	45	attr_accessor :force_random_password
46	46
...	...