Commit 3ddd9f753c0a6a57313ea4860bf7167f98f53cd2
1 parent
70e05801
Exists in
master
and in
4 other branches
Fix mass-assignment. Dont allow users w/o access to create team
Showing
3 changed files
with
9 additions
and
8 deletions
Show diff stats
app/controllers/application_controller.rb
| @@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base | @@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base | ||
| 94 | return access_denied! unless can?(current_user, :download_code, project) | 94 | return access_denied! unless can?(current_user, :download_code, project) |
| 95 | end | 95 | end |
| 96 | 96 | ||
| 97 | + def authorize_create_team! | ||
| 98 | + return access_denied! unless can?(current_user, :create_team, nil) | ||
| 99 | + end | ||
| 100 | + | ||
| 97 | def authorize_manage_user_team! | 101 | def authorize_manage_user_team! |
| 98 | return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team) | 102 | return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team) |
| 99 | end | 103 | end |
app/controllers/teams_controller.rb
| 1 | class TeamsController < ApplicationController | 1 | class TeamsController < ApplicationController |
| 2 | # Authorize | 2 | # Authorize |
| 3 | - before_filter :authorize_manage_user_team! | ||
| 4 | - before_filter :authorize_admin_user_team! | 3 | + before_filter :authorize_create_team!, only: [:new, :create] |
| 4 | + before_filter :authorize_manage_user_team!, only: [:edit, :update] | ||
| 5 | + before_filter :authorize_admin_user_team!, only: [:destroy] | ||
| 5 | 6 | ||
| 6 | - # Skip access control on public section | ||
| 7 | - skip_before_filter :authorize_manage_user_team!, only: [:index, :show, :new, :destroy, :create, :search, :issues, :merge_requests] | ||
| 8 | - skip_before_filter :authorize_admin_user_team!, only: [:index, :show, :new, :create, :search, :issues, :merge_requests] | ||
| 9 | - | ||
| 10 | - layout 'user_team', only: [:show, :edit, :update, :destroy, :issues, :merge_requests, :search] | 7 | + layout 'user_team', except: [:new, :create] |
| 11 | 8 | ||
| 12 | def index | 9 | def index |
| 13 | @teams = current_user.user_teams.order('name ASC') | 10 | @teams = current_user.user_teams.order('name ASC') |
app/models/user.rb
| @@ -40,7 +40,7 @@ class User < ActiveRecord::Base | @@ -40,7 +40,7 @@ class User < ActiveRecord::Base | ||
| 40 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username, | 40 | attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username, |
| 41 | :skype, :linkedin, :twitter, :dark_scheme, :theme_id, :force_random_password, | 41 | :skype, :linkedin, :twitter, :dark_scheme, :theme_id, :force_random_password, |
| 42 | :extern_uid, :provider, as: [:default, :admin] | 42 | :extern_uid, :provider, as: [:default, :admin] |
| 43 | - attr_accessible :projects_limit, as: :admin | 43 | + attr_accessible :projects_limit, :can_create_team, :can_create_group, as: :admin |
| 44 | 44 | ||
| 45 | attr_accessor :force_random_password | 45 | attr_accessor :force_random_password |
| 46 | 46 |