Commit 9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e
1 parent
83f2a387
Exists in
master
and in
4 other branches
authorized_projects and authorized_groups methods for user
Showing
4 changed files
with
26 additions
and
16 deletions
Show diff stats
app/controllers/dashboard_controller.rb
| @@ -5,8 +5,10 @@ class DashboardController < ApplicationController | @@ -5,8 +5,10 @@ class DashboardController < ApplicationController | ||
| 5 | before_filter :event_filter, only: :index | 5 | before_filter :event_filter, only: :index |
| 6 | 6 | ||
| 7 | def index | 7 | def index |
| 8 | - @groups = current_user.accessed_groups | 8 | + @groups = current_user.authorized_groups |
| 9 | + | ||
| 9 | @projects = @projects.page(params[:page]).per(30) | 10 | @projects = @projects.page(params[:page]).per(30) |
| 11 | + | ||
| 10 | @events = Event.in_projects(current_user.project_ids) | 12 | @events = Event.in_projects(current_user.project_ids) |
| 11 | @events = @event_filter.apply_filter(@events) | 13 | @events = @event_filter.apply_filter(@events) |
| 12 | @events = @events.limit(20).offset(params[:offset] || 0) | 14 | @events = @events.limit(20).offset(params[:offset] || 0) |
| @@ -43,7 +45,7 @@ class DashboardController < ApplicationController | @@ -43,7 +45,7 @@ class DashboardController < ApplicationController | ||
| 43 | protected | 45 | protected |
| 44 | 46 | ||
| 45 | def projects | 47 | def projects |
| 46 | - @projects = current_user.projects_sorted_by_activity | 48 | + @projects = current_user.authorized_projects.sorted_by_activity |
| 47 | end | 49 | end |
| 48 | 50 | ||
| 49 | def event_filter | 51 | def event_filter |
app/controllers/groups_controller.rb
| @@ -5,6 +5,9 @@ class GroupsController < ApplicationController | @@ -5,6 +5,9 @@ class GroupsController < ApplicationController | ||
| 5 | before_filter :group | 5 | before_filter :group |
| 6 | before_filter :projects | 6 | before_filter :projects |
| 7 | 7 | ||
| 8 | + # Authorize | ||
| 9 | + before_filter :authorize_read_group! | ||
| 10 | + | ||
| 8 | def show | 11 | def show |
| 9 | @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0) | 12 | @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0) |
| 10 | @last_push = current_user.recent_push | 13 | @last_push = current_user.recent_push |
| @@ -54,16 +57,17 @@ class GroupsController < ApplicationController | @@ -54,16 +57,17 @@ class GroupsController < ApplicationController | ||
| 54 | end | 57 | end |
| 55 | 58 | ||
| 56 | def projects | 59 | def projects |
| 57 | - @projects ||= begin | ||
| 58 | - if can?(current_user, :manage_group, @group) | ||
| 59 | - @group.projects | ||
| 60 | - else | ||
| 61 | - current_user.projects.where(namespace_id: @group.id) | ||
| 62 | - end.sorted_by_activity.all | ||
| 63 | - end | 60 | + @projects ||= group.projects.authorized_for(current_user).sorted_by_activity |
| 64 | end | 61 | end |
| 65 | 62 | ||
| 66 | def project_ids | 63 | def project_ids |
| 67 | projects.map(&:id) | 64 | projects.map(&:id) |
| 68 | end | 65 | end |
| 66 | + | ||
| 67 | + # Dont allow unauthorized access to group | ||
| 68 | + def authorize_read_group! | ||
| 69 | + unless projects.present? or can?(current_user, :manage_group, @group) | ||
| 70 | + return render_404 | ||
| 71 | + end | ||
| 72 | + end | ||
| 69 | end | 73 | end |
app/models/project.rb
| @@ -76,6 +76,11 @@ class Project < ActiveRecord::Base | @@ -76,6 +76,11 @@ class Project < ActiveRecord::Base | ||
| 76 | scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") } | 76 | scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") } |
| 77 | 77 | ||
| 78 | class << self | 78 | class << self |
| 79 | + def authorized_for user | ||
| 80 | + projects = includes(:users_projects, :namespace) | ||
| 81 | + projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id) | ||
| 82 | + end | ||
| 83 | + | ||
| 79 | def active | 84 | def active |
| 80 | joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC") | 85 | joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC") |
| 81 | end | 86 | end |
| @@ -285,9 +290,4 @@ class Project < ActiveRecord::Base | @@ -285,9 +290,4 @@ class Project < ActiveRecord::Base | ||
| 285 | merge_requests | 290 | merge_requests |
| 286 | end | 291 | end |
| 287 | end | 292 | end |
| 288 | - | ||
| 289 | - def self.authorized_for user | ||
| 290 | - projects = includes(:users_projects, :namespace) | ||
| 291 | - projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id) | ||
| 292 | - end | ||
| 293 | end | 293 | end |
app/models/user.rb
| @@ -124,11 +124,15 @@ class User < ActiveRecord::Base | @@ -124,11 +124,15 @@ class User < ActiveRecord::Base | ||
| 124 | end | 124 | end |
| 125 | end | 125 | end |
| 126 | 126 | ||
| 127 | - def accessed_groups | ||
| 128 | - @accessed_groups ||= begin | 127 | + def authorized_groups |
| 128 | + @authorized_groups ||= begin | ||
| 129 | groups = Group.where(id: self.projects.pluck(:namespace_id)).all | 129 | groups = Group.where(id: self.projects.pluck(:namespace_id)).all |
| 130 | groups = groups + self.groups | 130 | groups = groups + self.groups |
| 131 | groups.uniq | 131 | groups.uniq |
| 132 | end | 132 | end |
| 133 | end | 133 | end |
| 134 | + | ||
| 135 | + def authorized_projects | ||
| 136 | + Project.authorized_for(self) | ||
| 137 | + end | ||
| 134 | end | 138 | end |