Commit b565f33472d960e37ed41a8a0c09fbbc3ea65f1e
1 parent
80685596
Exists in
master
and in
4 other branches
Auth for API
Showing
4 changed files
with
27 additions
and
0 deletions
Show diff stats
lib/api/helpers.rb
... | ... | @@ -21,5 +21,21 @@ module Gitlab |
21 | 21 | def authenticate! |
22 | 22 | error!({'message' => '401 Unauthorized'}, 401) unless current_user |
23 | 23 | end |
24 | + | |
25 | + def authorize! action, subject | |
26 | + unless abilities.allowed?(current_user, action, subject) | |
27 | + error!({'message' => '403 Forbidden'}, 403) | |
28 | + end | |
29 | + end | |
30 | + | |
31 | + private | |
32 | + | |
33 | + def abilities | |
34 | + @abilities ||= begin | |
35 | + abilities = Six.new | |
36 | + abilities << Ability | |
37 | + abilities | |
38 | + end | |
39 | + end | |
24 | 40 | end |
25 | 41 | end | ... | ... |
lib/api/issues.rb
... | ... | @@ -79,6 +79,8 @@ module Gitlab |
79 | 79 | # PUT /projects/:id/issues/:issue_id |
80 | 80 | put ":id/issues/:issue_id" do |
81 | 81 | @issue = user_project.issues.find(params[:issue_id]) |
82 | + authorize! :modify_issue, @issue | |
83 | + | |
82 | 84 | parameters = { |
83 | 85 | title: (params[:title] || @issue.title), |
84 | 86 | description: (params[:description] || @issue.description), | ... | ... |
lib/api/milestones.rb
... | ... | @@ -61,6 +61,8 @@ module Gitlab |
61 | 61 | # Example Request: |
62 | 62 | # PUT /projects/:id/milestones/:milestone_id |
63 | 63 | put ":id/milestones/:milestone_id" do |
64 | + authorize! :admin_milestone, user_project | |
65 | + | |
64 | 66 | @milestone = user_project.milestones.find(params[:milestone_id]) |
65 | 67 | parameters = { |
66 | 68 | title: (params[:title] || @milestone.title), | ... | ... |
lib/api/projects.rb
... | ... | @@ -74,6 +74,7 @@ module Gitlab |
74 | 74 | # Example Request: |
75 | 75 | # POST /projects/:id/users |
76 | 76 | post ":id/users" do |
77 | + authorize! :admin_project, user_project | |
77 | 78 | user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access]) |
78 | 79 | nil |
79 | 80 | end |
... | ... | @@ -87,6 +88,7 @@ module Gitlab |
87 | 88 | # Example Request: |
88 | 89 | # PUT /projects/:id/add_users |
89 | 90 | put ":id/users" do |
91 | + authorize! :admin_project, user_project | |
90 | 92 | user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access]) |
91 | 93 | nil |
92 | 94 | end |
... | ... | @@ -99,6 +101,7 @@ module Gitlab |
99 | 101 | # Example Request: |
100 | 102 | # DELETE /projects/:id/users |
101 | 103 | delete ":id/users" do |
104 | + authorize! :admin_project, user_project | |
102 | 105 | user_project.delete_users_ids_from_team(params[:user_ids].values) |
103 | 106 | nil |
104 | 107 | end |
... | ... | @@ -186,6 +189,8 @@ module Gitlab |
186 | 189 | # PUT /projects/:id/snippets/:snippet_id |
187 | 190 | put ":id/snippets/:snippet_id" do |
188 | 191 | @snippet = user_project.snippets.find(params[:snippet_id]) |
192 | + authorize! :modify_snippet, @snippet | |
193 | + | |
189 | 194 | parameters = { |
190 | 195 | title: (params[:title] || @snippet.title), |
191 | 196 | file_name: (params[:file_name] || @snippet.file_name), |
... | ... | @@ -209,6 +214,8 @@ module Gitlab |
209 | 214 | # DELETE /projects/:id/snippets/:snippet_id |
210 | 215 | delete ":id/snippets/:snippet_id" do |
211 | 216 | @snippet = user_project.snippets.find(params[:snippet_id]) |
217 | + authorize! :modify_snippet, @snippet | |
218 | + | |
212 | 219 | @snippet.destroy |
213 | 220 | end |
214 | 221 | ... | ... |