Respect authorization in Repository API

* dont allow protect/unprotect branches for users without master permissions * dont allow access to Repository api for guests

Respect authorization in Repository API
* dont allow protect/unprotect branches for users without master permissions * dont allow access to Repository api for guests
Dmitriy Zaporozhets
1 parent 1df225bb
Showing 3 changed files with 27 additions and 20 deletions Show diff stats
lib/api/helpers.rb
lib/api/repositories.rb
spec/requests/api/repositories_spec.rb
@@ -64,6 +64,10 @@ module API
       end
     end
  
+    def authorize_admin_project
+      authorize! :admin_project, user_project
+    end
+
     def can?(object, action, subject)
       abilities.allowed?(object, action, subject)
     end
@@ -2,6 +2,7 @@ module API
   # Projects API
   class Repositories < Grape::API
     before { authenticate! }
+    before { authorize! :download_code, user_project }
  
     resource :projects do
       helpers do
@@ -44,13 +45,12 @@ module API
       # Example Request:
       #   PUT /projects/:id/repository/branches/:branch/protect
       put ":id/repository/branches/:branch/protect" do
-        @branch = user_project.repo.heads.find { |item| item.name == params[:branch] }
-        not_found! unless @branch
-        protected = user_project.protected_branches.find_by_name(@branch.name)
+        authorize_admin_project
  
-        unless protected
-          user_project.protected_branches.create(name: @branch.name)
-        end
+        @branch = user_project.repository.find_branch(params[:branch])
+        not_found! unless @branch
+        protected_branch = user_project.protected_branches.find_by_name(@branch.name)
+        user_project.protected_branches.create(name: @branch.name) unless protected_branch
  
         present @branch, with: Entities::RepoObject, project: user_project
       end
@@ -63,13 +63,12 @@ module API
       # Example Request:
       #   PUT /projects/:id/repository/branches/:branch/unprotect
       put ":id/repository/branches/:branch/unprotect" do
-        @branch = user_project.repo.heads.find { |item| item.name == params[:branch] }
-        not_found! unless @branch
-        protected = user_project.protected_branches.find_by_name(@branch.name)
+        authorize_admin_project
  
-        if protected
-          protected.destroy
-        end
+        @branch = user_project.repository.find_branch(params[:branch])
+        not_found! unless @branch
+        protected_branch = user_project.protected_branches.find_by_name(@branch.name)
+        protected_branch.destroy if protected_branch
  
         present @branch, with: Entities::RepoObject, project: user_project
       end
@@ -92,8 +91,6 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/commits
       get ":id/repository/commits" do
-        authorize! :download_code, user_project
-
         page = (params[:page] || 0).to_i
         per_page = (params[:per_page] || 20).to_i
         ref = params[:ref_name] || user_project.try(:default_branch) || 'master'
@@ -110,7 +107,6 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/commits/:sha
       get ":id/repository/commits/:sha" do
-        authorize! :download_code, user_project
         sha = params[:sha]
         commit = user_project.repository.commit(sha)
         not_found! "Commit" unless commit
@@ -125,7 +121,6 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/commits/:sha/diff
       get ":id/repository/commits/:sha/diff" do
-        authorize! :download_code, user_project
         sha = params[:sha]
         result = CommitLoadContext.new(user_project, current_user, {id: sha}).execute
         not_found! "Commit" unless result[:commit]
@@ -140,8 +135,6 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/tree
       get ":id/repository/tree" do
-        authorize! :download_code, user_project
-
         ref = params[:ref_name] || user_project.try(:default_branch) || 'master'
         path = params[:path] || nil
  
@@ -166,7 +159,6 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/blobs/:sha
       get [ ":id/repository/blobs/:sha", ":id/repository/commits/:sha/blob" ] do
-        authorize! :download_code, user_project
         required_attributes! [:filepath]
  
         ref = params[:sha]
@@ -8,7 +8,8 @@ describe API::API do
   let(:user) { create(:user) }
   let(:user2) { create(:user) }
   let!(:project) { create(:project_with_code, creator_id: user.id) }
-  let!(:users_project) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) }
+  let!(:master) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) }
+  let!(:guest) { create(:users_project, user: user2, project: project, project_access: UsersProject::GUEST) }
  
   before { project.team << [user, :reporter] }
  
@@ -32,6 +33,11 @@ describe API::API do
       json_response['protected'].should == false
     end
  
+    it "should return a 403 error if guest" do
+      get api("/projects/#{project.id}/repository/branches", user2)
+      response.status.should == 403
+    end
+
     it "should return a 404 error if branch is not available" do
       get api("/projects/#{project.id}/repository/branches/unknown", user)
       response.status.should == 404
@@ -53,6 +59,11 @@ describe API::API do
       response.status.should == 404
     end
  
+    it "should return a 403 error if guest" do
+      put api("/projects/#{project.id}/repository/branches/new_design/protect", user2)
+      response.status.should == 403
+    end
+
     it "should return success when protect branch again" do
       put api("/projects/#{project.id}/repository/branches/new_design/protect", user)
       put api("/projects/#{project.id}/repository/branches/new_design/protect", user)
...	...	@@ -64,6 +64,10 @@ module API
64	64	end
65	65	end
66	66
	67	+ def authorize_admin_project
	68	+ authorize! :admin_project, user_project
	69	+ end
	70	+
67	71	def can?(object, action, subject)
68	72	abilities.allowed?(object, action, subject)
69	73	end
...	...
...	...	@@ -2,6 +2,7 @@ module API
2	2	# Projects API
3	3	class Repositories < Grape::API
4	4	before { authenticate! }
	5	+ before { authorize! :download_code, user_project }
5	6
6	7	resource :projects do
7	8	helpers do
...	...	@@ -44,13 +45,12 @@ module API
44	45	# Example Request:
45	46	# PUT /projects/:id/repository/branches/:branch/protect
46	47	put ":id/repository/branches/:branch/protect" do
47		- @branch = user_project.repo.heads.find { \|item\| item.name == params[:branch] }
48		- not_found! unless @branch
49		- protected = user_project.protected_branches.find_by_name(@branch.name)
	48	+ authorize_admin_project
50	49
51		- unless protected
52		- user_project.protected_branches.create(name: @branch.name)
53		- end
	50	+ @branch = user_project.repository.find_branch(params[:branch])
	51	+ not_found! unless @branch
	52	+ protected_branch = user_project.protected_branches.find_by_name(@branch.name)
	53	+ user_project.protected_branches.create(name: @branch.name) unless protected_branch
54	54
55	55	present @branch, with: Entities::RepoObject, project: user_project
56	56	end
...	...	@@ -63,13 +63,12 @@ module API
63	63	# Example Request:
64	64	# PUT /projects/:id/repository/branches/:branch/unprotect
65	65	put ":id/repository/branches/:branch/unprotect" do
66		- @branch = user_project.repo.heads.find { \|item\| item.name == params[:branch] }
67		- not_found! unless @branch
68		- protected = user_project.protected_branches.find_by_name(@branch.name)
	66	+ authorize_admin_project
69	67
70		- if protected
71		- protected.destroy
72		- end
	68	+ @branch = user_project.repository.find_branch(params[:branch])
	69	+ not_found! unless @branch
	70	+ protected_branch = user_project.protected_branches.find_by_name(@branch.name)
	71	+ protected_branch.destroy if protected_branch
73	72
74	73	present @branch, with: Entities::RepoObject, project: user_project
75	74	end
...	...	@@ -92,8 +91,6 @@ module API
92	91	# Example Request:
93	92	# GET /projects/:id/repository/commits
94	93	get ":id/repository/commits" do
95		- authorize! :download_code, user_project
96		-
97	94	page = (params[:page] \|\| 0).to_i
98	95	per_page = (params[:per_page] \|\| 20).to_i
99	96	ref = params[:ref_name] \|\| user_project.try(:default_branch) \|\| 'master'
...	...	@@ -110,7 +107,6 @@ module API
110	107	# Example Request:
111	108	# GET /projects/:id/repository/commits/:sha
112	109	get ":id/repository/commits/:sha" do
113		- authorize! :download_code, user_project
114	110	sha = params[:sha]
115	111	commit = user_project.repository.commit(sha)
116	112	not_found! "Commit" unless commit
...	...	@@ -125,7 +121,6 @@ module API
125	121	# Example Request:
126	122	# GET /projects/:id/repository/commits/:sha/diff
127	123	get ":id/repository/commits/:sha/diff" do
128		- authorize! :download_code, user_project
129	124	sha = params[:sha]
130	125	result = CommitLoadContext.new(user_project, current_user, {id: sha}).execute
131	126	not_found! "Commit" unless result[:commit]
...	...	@@ -140,8 +135,6 @@ module API
140	135	# Example Request:
141	136	# GET /projects/:id/repository/tree
142	137	get ":id/repository/tree" do
143		- authorize! :download_code, user_project
144		-
145	138	ref = params[:ref_name] \|\| user_project.try(:default_branch) \|\| 'master'
146	139	path = params[:path] \|\| nil
147	140
...	...	@@ -166,7 +159,6 @@ module API
166	159	# Example Request:
167	160	# GET /projects/:id/repository/blobs/:sha
168	161	get [ ":id/repository/blobs/:sha", ":id/repository/commits/:sha/blob" ] do
169		- authorize! :download_code, user_project
170	162	required_attributes! [:filepath]
171	163
172	164	ref = params[:sha]
...	...
...	...	@@ -8,7 +8,8 @@ describe API::API do
8	8	let(:user) { create(:user) }
9	9	let(:user2) { create(:user) }
10	10	let!(:project) { create(:project_with_code, creator_id: user.id) }
11		- let!(:users_project) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) }
	11	+ let!(:master) { create(:users_project, user: user, project: project, project_access: UsersProject::MASTER) }
	12	+ let!(:guest) { create(:users_project, user: user2, project: project, project_access: UsersProject::GUEST) }
12	13
13	14	before { project.team << [user, :reporter] }
14	15
...	...	@@ -32,6 +33,11 @@ describe API::API do
32	33	json_response['protected'].should == false
33	34	end
34	35
	36	+ it "should return a 403 error if guest" do
	37	+ get api("/projects/#{project.id}/repository/branches", user2)
	38	+ response.status.should == 403
	39	+ end
	40	+
35	41	it "should return a 404 error if branch is not available" do
36	42	get api("/projects/#{project.id}/repository/branches/unknown", user)
37	43	response.status.should == 404
...	...	@@ -53,6 +59,11 @@ describe API::API do
53	59	response.status.should == 404
54	60	end
55	61
	62	+ it "should return a 403 error if guest" do
	63	+ put api("/projects/#{project.id}/repository/branches/new_design/protect", user2)
	64	+ response.status.should == 403
	65	+ end
	66	+
56	67	it "should return success when protect branch again" do
57	68	put api("/projects/#{project.id}/repository/branches/new_design/protect", user)
58	69	put api("/projects/#{project.id}/repository/branches/new_design/protect", user)
...	...