Improve permissions on tags/branches

Dmitriy Zaporozhets
1 parent 29306dd6
Showing 4 changed files with 11 additions and 3 deletions Show diff stats
app/controllers/application_controller.rb
app/controllers/projects/branches_controller.rb
app/controllers/projects/tags_controller.rb
app/views/projects/repositories/_filter.html.haml
@@ -91,6 +91,10 @@ class ApplicationController &lt; ActionController::Base
     return access_denied! unless can?(current_user, :download_code, project) or project.public?
   end
  
+  def authorize_push!
+    return access_denied! unless can?(current_user, :push_code, project)
+  end
+
   def authorize_create_team!
     return access_denied! unless can?(current_user, :create_team, nil)
   end
@@ -3,7 +3,9 @@ class Projects::BranchesController &lt; Projects::ApplicationController
   before_filter :authorize_read_project!
   before_filter :require_non_empty_project
  
-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]
  
   def index
     @branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30)
 class Projects::TagsController < Projects::ApplicationController
   # Authorize
   before_filter :authorize_read_project!
-  before_filter :authorize_code_access!
   before_filter :require_non_empty_project
  
-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]
  
   def index
     @tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30)
@@ -10,6 +10,7 @@
  
  
 %hr
+- if can? current_user, :push_code, @project
   = link_to new_project_branch_path(@project), class: 'btn btn-create' do
     %i.icon-add-sign
     New branch
...	...	@@ -91,6 +91,10 @@ class ApplicationController < ActionController::Base
91	91	return access_denied! unless can?(current_user, :download_code, project) or project.public?
92	92	end
93	93
	94	+ def authorize_push!
	95	+ return access_denied! unless can?(current_user, :push_code, project)
	96	+ end
	97	+
94	98	def authorize_create_team!
95	99	return access_denied! unless can?(current_user, :create_team, nil)
96	100	end
...	...
...	...	@@ -3,7 +3,9 @@ class Projects::BranchesController < Projects::ApplicationController
3	3	before_filter :authorize_read_project!
4	4	before_filter :require_non_empty_project
5	5
6		- before_filter :authorize_admin_project!, only: [:destroy, :create]
	6	+ before_filter :authorize_code_access!
	7	+ before_filter :authorize_push!, only: [:create]
	8	+ before_filter :authorize_admin_project!, only: [:destroy]
7	9
8	10	def index
9	11	@branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30)
...	...
1	1	class Projects::TagsController < Projects::ApplicationController
2	2	# Authorize
3	3	before_filter :authorize_read_project!
4		- before_filter :authorize_code_access!
5	4	before_filter :require_non_empty_project
6	5
7		- before_filter :authorize_admin_project!, only: [:destroy, :create]
	6	+ before_filter :authorize_code_access!
	7	+ before_filter :authorize_push!, only: [:create]
	8	+ before_filter :authorize_admin_project!, only: [:destroy]
8	9
9	10	def index
10	11	@tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30)
...	...
...	...	@@ -10,6 +10,7 @@
10	10
11	11
12	12	%hr
	13	+- if can? current_user, :push_code, @project
13	14	= link_to new_project_branch_path(@project), class: 'btn btn-create' do
14	15	%i.icon-add-sign
15	16	New branch
...	...