Download as
Browse Code »

Commit 8c40aab120dbc5507ab9cc8d7ad8e2519d6e9f25

Authored by Dmitriy Zaporozhets
1 parent af82b677
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Abilities extended. Resources security improved

Showing 16 changed files with 51 additions and 52 deletions   Show diff stats
app/controllers/application_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base
48 48 return render_404 unless can?(current_user, action, project)
49 49 end
50 50  
  51 + def authorize_code_access!
  52 + return render_404 unless can?(current_user, :download_code, project)
  53 + end
  54 +
51 55 def access_denied!
52 56 render_404
53 57 end
... ...
app/controllers/commits_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -7,6 +7,7 @@ class CommitsController < ApplicationController
7 7 # Authorize
8 8 before_filter :add_project_abilities
9 9 before_filter :authorize_read_project!
  10 + before_filter :authorize_code_access!
10 11 before_filter :require_non_empty_project
11 12 before_filter :load_refs, :only => :index # load @branch, @tag & @ref
12 13 before_filter :render_full_content
... ...
app/controllers/issues_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -126,12 +126,11 @@ class IssuesController < ApplicationController
126 126 end
127 127  
128 128 def authorize_modify_issue!
129   - can?(current_user, :modify_issue, @issue) ||
130   - @issue.assignee == current_user
  129 + return render_404 unless can?(current_user, :modify_issue, @issue)
131 130 end
132 131  
133 132 def authorize_admin_issue!
134   - can?(current_user, :admin_issue, @issue)
  133 + return render_404 unless can?(current_user, :admin_issue, @issue)
135 134 end
136 135  
137 136 def module_enabled
... ...
app/controllers/merge_requests_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController
112 112 end
113 113  
114 114 def authorize_modify_merge_request!
115   - can?(current_user, :modify_merge_request, @merge_request) ||
116   - @merge_request.assignee == current_user
  115 + return render_404 unless can?(current_user, :modify_merge_request, @merge_request)
117 116 end
118 117  
119 118 def authorize_admin_merge_request!
120   - can?(current_user, :admin_merge_request, @merge_request)
  119 + return render_404 unless can?(current_user, :admin_merge_request, @merge_request)
121 120 end
122 121  
123 122 def module_enabled
... ...
app/controllers/refs_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -4,6 +4,7 @@ class RefsController < ApplicationController
4 4 # Authorize
5 5 before_filter :add_project_abilities
6 6 before_filter :authorize_read_project!
  7 + before_filter :authorize_code_access!
7 8 before_filter :require_non_empty_project
8 9  
9 10 before_filter :ref
... ...
app/controllers/repositories_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController
4 4 # Authorize
5 5 before_filter :add_project_abilities
6 6 before_filter :authorize_read_project!
  7 + before_filter :authorize_code_access!
7 8 before_filter :require_non_empty_project
8 9 before_filter :render_full_content
9 10  
... ...
app/controllers/snippets_controller.rb
  Diff comments   View file @8c40aab
1 1 class SnippetsController < ApplicationController
2 2 before_filter :authenticate_user!
3 3 before_filter :project
  4 + before_filter :snippet, :only => [:show, :edit, :destroy, :update]
4 5 layout "project"
5 6  
6 7 # Authorize
... ... @@ -41,11 +42,9 @@ class SnippetsController &lt; ApplicationController
41 42 end
42 43  
43 44 def edit
44   - @snippet = @project.snippets.find(params[:id])
45 45 end
46 46  
47 47 def update
48   - @snippet = @project.snippets.find(params[:id])
49 48 @snippet.update_attributes(params[:snippet])
50 49  
51 50 if @snippet.valid?
... ... @@ -56,15 +55,12 @@ class SnippetsController &lt; ApplicationController
56 55 end
57 56  
58 57 def show
59   - @snippet = @project.snippets.find(params[:id])
60 58 @notes = @snippet.notes
61 59 @note = @project.notes.new(:noteable => @snippet)
62 60 render_full_content
63 61 end
64 62  
65 63 def destroy
66   - @snippet = @project.snippets.find(params[:id])
67   -
68 64 return access_denied! unless can?(current_user, :admin_snippet, @snippet)
69 65  
70 66 @snippet.destroy
... ... @@ -73,12 +69,15 @@ class SnippetsController &lt; ApplicationController
73 69 end
74 70  
75 71 protected
  72 + def snippet
  73 + @snippet ||= @project.snippets.find(params[:id])
  74 + end
76 75  
77 76 def authorize_modify_snippet!
78   - can?(current_user, :modify_snippet, @snippet)
  77 + return render_404 unless can?(current_user, :modify_snippet, @snippet)
79 78 end
80 79  
81 80 def authorize_admin_snippet!
82   - can?(current_user, :admin_snippet, @snippet)
  81 + return render_404 unless can?(current_user, :admin_snippet, @snippet)
83 82 end
84 83 end
... ...
app/controllers/wikis_controller.rb
  Diff comments   View file @8c40aab
... ... @@ -2,7 +2,7 @@ class WikisController &lt; ApplicationController
2 2 before_filter :project
3 3 before_filter :add_project_abilities
4 4 before_filter :authorize_read_wiki!
5   - before_filter :authorize_write_wiki!, :except => [:show, :destroy]
  5 + before_filter :authorize_write_wiki!, :only => [:edit, :create, :history]
6 6 before_filter :authorize_admin_wiki!, :only => :destroy
7 7 layout "project"
8 8  
... ... @@ -12,6 +12,11 @@ class WikisController &lt; ApplicationController
12 12 else
13 13 @wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
14 14 end
  15 +
  16 + unless @wiki
  17 + return render_404 unless can?(current_user, :write_wiki, @project)
  18 + end
  19 +
15 20 respond_to do |format|
16 21 if @wiki
17 22 format.html
... ... @@ -51,18 +56,4 @@ class WikisController &lt; ApplicationController
51 56 format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
52 57 end
53 58 end
54   -
55   - protected
56   -
57   - def authorize_read_wiki!
58   - can?(current_user, :read_wiki, @project)
59   - end
60   -
61   - def authorize_write_wiki!
62   - can?(current_user, :write_wiki, @project)
63   - end
64   -
65   - def authorize_admin_wiki!
66   - can?(current_user, :admin_wiki, @project)
67   - end
68 59 end
... ...
app/models/ability.rb
  Diff comments   View file @8c40aab
... ... @@ -5,7 +5,7 @@ class Ability
5 5 when "Issue" then issue_abilities(object, subject)
6 6 when "Note" then note_abilities(object, subject)
7 7 when "Snippet" then snippet_abilities(object, subject)
8   - when "Wiki" then wiki_abilities(object, subject)
  8 + when "MergeRequest" then merge_request_abilities(object, subject)
9 9 else []
10 10 end
11 11 end
... ... @@ -23,13 +23,13 @@ class Ability
23 23 :read_note,
24 24 :write_project,
25 25 :write_issue,
26   - :write_snippet,
27   - :write_merge_request,
28 26 :write_note
29 27 ] if project.guest_access_for?(user)
30 28  
31 29 rules << [
32 30 :download_code,
  31 + :write_merge_request,
  32 + :write_snippet
33 33 ] if project.report_access_for?(user)
34 34  
35 35 rules << [
... ... @@ -39,7 +39,7 @@ class Ability
39 39 rules << [
40 40 :modify_issue,
41 41 :modify_snippet,
42   - :modify_wiki,
  42 + :modify_merge_request,
43 43 :admin_project,
44 44 :admin_issue,
45 45 :admin_snippet,
... ... @@ -47,7 +47,7 @@ class Ability
47 47 :admin_merge_request,
48 48 :admin_note,
49 49 :admin_wiki
50   - ] if project.master_access_for?(user)
  50 + ] if project.master_access_for?(user) || project.owner == user
51 51  
52 52  
53 53 rules.flatten
... ... @@ -63,6 +63,12 @@ class Ability
63 63 :"modify_#{name}",
64 64 :"admin_#{name}"
65 65 ]
  66 + elsif subject.respond_to?(:assignee) && subject.assignee == user
  67 + [
  68 + :"read_#{name}",
  69 + :"write_#{name}",
  70 + :"modify_#{name}",
  71 + ]
66 72 else
67 73 subject.respond_to?(:project) ?
68 74 project_abilities(user, subject.project) : []
... ...
app/models/project.rb
  Diff comments   View file @8c40aab
... ... @@ -188,7 +188,7 @@ class Project &lt; ActiveRecord::Base
188 188 elsif access.include?(:write)
189 189 { :project_access => UsersProject::DEVELOPER }
190 190 else
191   - { :project_access => UsersProject::GUEST }
  191 + { :project_access => UsersProject::REPORTER }
192 192 end
193 193 opts = { :user => user }
194 194 opts.merge!(access)
... ...
app/views/help/permissions.html.haml
  Diff comments   View file @8c40aab
... ... @@ -4,15 +4,17 @@
4 4 %h4 Guest
5 5 %ul
6 6 %li Create new issue
7   - %li Create new merge request
  7 + %li Leave comments
8 8 %li Write on project wall
9 9  
10 10 %h4 Reporter
11 11 %ul
12 12 %li Pull project code
  13 + %li Download project
13 14 %li Create new issue
14 15 %li Create new merge request
15 16 %li Write on project wall
  17 + %li Create a code snippets
16 18  
17 19  
18 20 %h4 Developer
... ... @@ -25,6 +27,7 @@
25 27 %li Create new issue
26 28 %li Create new merge request
27 29 %li Write on project wall
  30 + %li Write a wiki
28 31  
29 32 %h4 Master
30 33 %ul
... ...
app/views/issues/_show.html.haml
  Diff comments   View file @8c40aab
1 1 %li.wll{ :id => dom_id(issue), :class => "issue #{issue.critical ? "critical" : ""}", :url => project_issue_path(issue.project, issue) }
2 2 .right
3   - - if can? current_user, :write_issue, issue
  3 + - if can? current_user, :modify_issue, issue
4 4 - if issue.closed
5 5 = link_to 'Reopen', project_issue_path(issue.project, issue, :issue => {:closed => false }, :status_only => true), :method => :put, :class => "btn small", :remote => true
6 6 - else
7 7 = link_to 'Resolve', project_issue_path(issue.project, issue, :issue => {:closed => true }, :status_only => true), :method => :put, :class => "success btn small", :remote => true
8   - - if can? current_user, :write_issue, issue
9 8 = link_to 'Edit', edit_project_issue_path(issue.project, issue), :class => "btn small edit-issue-link", :remote => true
10 9 -#- if can?(current_user, :admin_issue, @project) || issue.author == current_user
11 10 = link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}"
... ...
app/views/layouts/_project_menu.html.haml
  Diff comments   View file @8c40aab
... ... @@ -4,8 +4,9 @@
4 4 Project
5 5  
6 6 - if @project.repo_exists?
7   - = link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class
8   - = link_to "Commits", project_commits_path(@project), :class => commit_tab_class
  7 + - if can? current_user, :download_code, @project
  8 + = link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class
  9 + = link_to "Commits", project_commits_path(@project), :class => commit_tab_class
9 10  
10 11 = link_to "Network", graph_project_path(@project), :class => current_page?(:controller => "projects", :action => "graph", :id => @project) ? "current" : nil
11 12 - if @project.issues_enabled
... ...
app/views/merge_requests/show.html.haml
  Diff comments   View file @8c40aab
... ... @@ -10,12 +10,11 @@
10 10 = @merge_request.created_at.stamp("Aug 21, 2011")
11 11  
12 12 %span.right
13   - - if can?(current_user, :admin_project, @project) || @merge_request.author == current_user
  13 + - if can?(current_user, :modify_merge_request, @merge_request)
14 14 - if @merge_request.closed
15 15 = link_to 'Reopen', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => false }, :status_only => true), :method => :put, :class => "btn"
16 16 - else
17 17 = link_to 'Close', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => true }, :status_only => true), :method => :put, :class => "btn", :title => "Close merge request"
18   - - if can?(current_user, :admin_project, @project) || @merge_request.author == current_user
19 18 = link_to edit_project_merge_request_path(@project, @merge_request), :class => "btn small" do
20 19 Edit
21 20  
... ...
app/views/widgets/_project_member.html.haml
  Diff comments   View file @8c40aab
... ... @@ -11,23 +11,19 @@
11 11 %p
12 12 - if @project.issues_enabled
13 13 %span
14   - Assigned issues:
  14 + Assigned Issues:
15 15 = current_user.assigned_issues.opened.count
16 16 %br
17 17 - if @project.merge_requests_enabled
18 18 %span
19   - Assigned merge request:
20   - = current_user.assigned_merge_requests.opened.count
21   - %br
22   - %span
23   - Your merge requests:
  19 + Assigned Requests:
24 20 = current_user.assigned_merge_requests.opened.count
25 21 %br
26 22 %br
27   - - if @project.merge_requests_enabled
  23 + - if @project.merge_requests_enabled && can?(current_user, :write_merge_request, @project)
28 24 = link_to new_project_merge_request_path(@project), :title => "New Merge Request", :class => "btn small padded" do
29 25 Merge Request
30   - - if @project.issues_enabled
  26 + - if @project.issues_enabled && can?(current_user, :write_issue, @project)
31 27 = link_to new_project_issue_path(@project), :title => "New Issue", :class => "btn small" do
32 28 Issue
33 29  
... ...
app/views/wikis/show.html.haml
  Diff comments   View file @8c40aab
... ... @@ -4,13 +4,13 @@
4 4 - if can? current_user, :write_wiki, @project
5 5 = link_to history_project_wiki_path(@project, @wiki), :class => "btn small padded" do
6 6 History
7   - = link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do
8   - Edit
  7 + = link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do
  8 + Edit
9 9 %hr
10 10  
11 11 = markdown_to_html @wiki.content
12 12  
13 13 %p.time Last edited by #{@wiki.user.name}, in #{time_ago_in_words @wiki.created_at}
14   -- if can? current_user, :write_wiki, @project
  14 +- if can? current_user, :admin_wiki, @project
15 15 = link_to project_wiki_path(@project, @wiki), :confirm => "Are you sure you want to delete this page?", :method => :delete do
16 16 Delete this page
... ...