Merge pull request #7090 from NARKOZ/api-files-access

fix permissions for files API

Merge pull request #7090 from NARKOZ/api-files-access
fix permissions for files API
Dmitriy Zaporozhets
2 parents 67ba36eb dccfb374
Showing 1 changed file with 8 additions and 1 deletions Show diff stats
lib/api/files.rb
@@ -2,7 +2,6 @@ module API
   # Projects API
   class Files < Grape::API
     before { authenticate! }
-    before { authorize! :push_code, user_project }
  
     resource :projects do
       # Get file from repository
@@ -28,6 +27,8 @@ module API
       # }
       #
       get ":id/repository/files" do
+        authorize! :download_code, user_project
+
         required_attributes! [:file_path, :ref]
         attrs = attributes_for_keys [:file_path, :ref]
         ref = attrs.delete(:ref)
@@ -68,6 +69,8 @@ module API
       #   POST /projects/:id/repository/files
       #
       post ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :content, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
         branch_name = attrs.delete(:branch_name)
@@ -98,6 +101,8 @@ module API
       #   PUT /projects/:id/repository/files
       #
       put ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :content, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
         branch_name = attrs.delete(:branch_name)
@@ -128,6 +133,8 @@ module API
       #   DELETE /projects/:id/repository/files
       #
       delete ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :commit_message]
         branch_name = attrs.delete(:branch_name)
...	...	@@ -2,7 +2,6 @@ module API
2	2	# Projects API
3	3	class Files < Grape::API
4	4	before { authenticate! }
5		- before { authorize! :push_code, user_project }
6	5
7	6	resource :projects do
8	7	# Get file from repository
...	...	@@ -28,6 +27,8 @@ module API
28	27	# }
29	28	#
30	29	get ":id/repository/files" do
	30	+ authorize! :download_code, user_project
	31	+
31	32	required_attributes! [:file_path, :ref]
32	33	attrs = attributes_for_keys [:file_path, :ref]
33	34	ref = attrs.delete(:ref)
...	...	@@ -68,6 +69,8 @@ module API
68	69	# POST /projects/:id/repository/files
69	70	#
70	71	post ":id/repository/files" do
	72	+ authorize! :push_code, user_project
	73	+
71	74	required_attributes! [:file_path, :branch_name, :content, :commit_message]
72	75	attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
73	76	branch_name = attrs.delete(:branch_name)
...	...	@@ -98,6 +101,8 @@ module API
98	101	# PUT /projects/:id/repository/files
99	102	#
100	103	put ":id/repository/files" do
	104	+ authorize! :push_code, user_project
	105	+
101	106	required_attributes! [:file_path, :branch_name, :content, :commit_message]
102	107	attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
103	108	branch_name = attrs.delete(:branch_name)
...	...	@@ -128,6 +133,8 @@ module API
128	133	# DELETE /projects/:id/repository/files
129	134	#
130	135	delete ":id/repository/files" do
	136	+ authorize! :push_code, user_project
	137	+
131	138	required_attributes! [:file_path, :branch_name, :commit_message]
132	139	attrs = attributes_for_keys [:file_path, :branch_name, :commit_message]
133	140	branch_name = attrs.delete(:branch_name)
...	...