Download as
Browse Code »

Commit 9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e

Authored by Dmitriy Zaporozhets
1 parent 83f2a387
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

authorized_projects and authorized_groups methods for user

Showing 4 changed files with 26 additions and 16 deletions   Show diff stats
app/controllers/dashboard_controller.rb
  Diff comments   View file @9df6f7b
... ... @@ -5,8 +5,10 @@ class DashboardController < ApplicationController
5 5 before_filter :event_filter, only: :index
6 6  
7 7 def index
8   - @groups = current_user.accessed_groups
  8 + @groups = current_user.authorized_groups
  9 +
9 10 @projects = @projects.page(params[:page]).per(30)
  11 +
10 12 @events = Event.in_projects(current_user.project_ids)
11 13 @events = @event_filter.apply_filter(@events)
12 14 @events = @events.limit(20).offset(params[:offset] || 0)
... ... @@ -43,7 +45,7 @@ class DashboardController < ApplicationController
43 45 protected
44 46  
45 47 def projects
46   - @projects = current_user.projects_sorted_by_activity
  48 + @projects = current_user.authorized_projects.sorted_by_activity
47 49 end
48 50  
49 51 def event_filter
... ...
app/controllers/groups_controller.rb
  Diff comments   View file @9df6f7b
... ... @@ -5,6 +5,9 @@ class GroupsController < ApplicationController
5 5 before_filter :group
6 6 before_filter :projects
7 7  
  8 + # Authorize
  9 + before_filter :authorize_read_group!
  10 +
8 11 def show
9 12 @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0)
10 13 @last_push = current_user.recent_push
... ... @@ -54,16 +57,17 @@ class GroupsController < ApplicationController
54 57 end
55 58  
56 59 def projects
57   - @projects ||= begin
58   - if can?(current_user, :manage_group, @group)
59   - @group.projects
60   - else
61   - current_user.projects.where(namespace_id: @group.id)
62   - end.sorted_by_activity.all
63   - end
  60 + @projects ||= group.projects.authorized_for(current_user).sorted_by_activity
64 61 end
65 62  
66 63 def project_ids
67 64 projects.map(&:id)
68 65 end
  66 +
  67 + # Dont allow unauthorized access to group
  68 + def authorize_read_group!
  69 + unless projects.present? or can?(current_user, :manage_group, @group)
  70 + return render_404
  71 + end
  72 + end
69 73 end
... ...
app/models/project.rb
  Diff comments   View file @9df6f7b
... ... @@ -76,6 +76,11 @@ class Project < ActiveRecord::Base
76 76 scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
77 77  
78 78 class << self
  79 + def authorized_for user
  80 + projects = includes(:users_projects, :namespace)
  81 + projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
  82 + end
  83 +
79 84 def active
80 85 joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC")
81 86 end
... ... @@ -285,9 +290,4 @@ class Project &lt; ActiveRecord::Base
285 290 merge_requests
286 291 end
287 292 end
288   -
289   - def self.authorized_for user
290   - projects = includes(:users_projects, :namespace)
291   - projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
292   - end
293 293 end
... ...
app/models/user.rb
  Diff comments   View file @9df6f7b
... ... @@ -124,11 +124,15 @@ class User &lt; ActiveRecord::Base
124 124 end
125 125 end
126 126  
127   - def accessed_groups
128   - @accessed_groups ||= begin
  127 + def authorized_groups
  128 + @authorized_groups ||= begin
129 129 groups = Group.where(id: self.projects.pluck(:namespace_id)).all
130 130 groups = groups + self.groups
131 131 groups.uniq
132 132 end
133 133 end
  134 +
  135 + def authorized_projects
  136 + Project.authorized_for(self)
  137 + end
134 138 end
... ...