Auth for API

randx
1 parent 80685596
Showing 4 changed files with 27 additions and 0 deletions Show diff stats
lib/api/helpers.rb
lib/api/issues.rb
lib/api/milestones.rb
lib/api/projects.rb
@@ -21,5 +21,21 @@ module Gitlab
     def authenticate!
       error!({'message' => '401 Unauthorized'}, 401) unless current_user
     end
+
+    def authorize! action, subject
+      unless abilities.allowed?(current_user, action, subject)
+        error!({'message' => '403 Forbidden'}, 403)
+      end
+    end
+
+    private 
+
+    def abilities
+      @abilities ||= begin
+                       abilities = Six.new
+                       abilities << Ability
+                       abilities
+                     end
+    end
   end
 end
@@ -79,6 +79,8 @@ module Gitlab
       #   PUT /projects/:id/issues/:issue_id
       put ":id/issues/:issue_id" do
         @issue = user_project.issues.find(params[:issue_id])
+        authorize! :modify_issue, @issue
+
         parameters = {
           title: (params[:title] || @issue.title),
           description: (params[:description] || @issue.description),
@@ -61,6 +61,8 @@ module Gitlab
       # Example Request:
       #   PUT /projects/:id/milestones/:milestone_id
       put ":id/milestones/:milestone_id" do
+        authorize! :admin_milestone, user_project
+
         @milestone = user_project.milestones.find(params[:milestone_id])
         parameters = {
           title: (params[:title] || @milestone.title),
@@ -74,6 +74,7 @@ module Gitlab
       # Example Request:
       #   POST /projects/:id/users
       post ":id/users" do
+        authorize! :admin_project, user_project
         user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
         nil
       end
@@ -87,6 +88,7 @@ module Gitlab
       # Example Request:
       #   PUT /projects/:id/add_users
       put ":id/users" do
+        authorize! :admin_project, user_project
         user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
         nil
       end
@@ -99,6 +101,7 @@ module Gitlab
       # Example Request:
       #   DELETE /projects/:id/users
       delete ":id/users" do
+        authorize! :admin_project, user_project
         user_project.delete_users_ids_from_team(params[:user_ids].values)
         nil
       end
@@ -186,6 +189,8 @@ module Gitlab
       #   PUT /projects/:id/snippets/:snippet_id
       put ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         parameters = {
           title: (params[:title] || @snippet.title),
           file_name: (params[:file_name] || @snippet.file_name),
@@ -209,6 +214,8 @@ module Gitlab
       #   DELETE /projects/:id/snippets/:snippet_id
       delete ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         @snippet.destroy
       end
...	...	@@ -21,5 +21,21 @@ module Gitlab
21	21	def authenticate!
22	22	error!({'message' => '401 Unauthorized'}, 401) unless current_user
23	23	end
	24	+
	25	+ def authorize! action, subject
	26	+ unless abilities.allowed?(current_user, action, subject)
	27	+ error!({'message' => '403 Forbidden'}, 403)
	28	+ end
	29	+ end
	30	+
	31	+ private
	32	+
	33	+ def abilities
	34	+ @abilities \|\|= begin
	35	+ abilities = Six.new
	36	+ abilities << Ability
	37	+ abilities
	38	+ end
	39	+ end
24	40	end
25	41	end
...	...
...	...	@@ -79,6 +79,8 @@ module Gitlab
79	79	# PUT /projects/:id/issues/:issue_id
80	80	put ":id/issues/:issue_id" do
81	81	@issue = user_project.issues.find(params[:issue_id])
	82	+ authorize! :modify_issue, @issue
	83	+
82	84	parameters = {
83	85	title: (params[:title] \|\| @issue.title),
84	86	description: (params[:description] \|\| @issue.description),
...	...
...	...	@@ -61,6 +61,8 @@ module Gitlab
61	61	# Example Request:
62	62	# PUT /projects/:id/milestones/:milestone_id
63	63	put ":id/milestones/:milestone_id" do
	64	+ authorize! :admin_milestone, user_project
	65	+
64	66	@milestone = user_project.milestones.find(params[:milestone_id])
65	67	parameters = {
66	68	title: (params[:title] \|\| @milestone.title),
...	...
...	...	@@ -74,6 +74,7 @@ module Gitlab
74	74	# Example Request:
75	75	# POST /projects/:id/users
76	76	post ":id/users" do
	77	+ authorize! :admin_project, user_project
77	78	user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
78	79	nil
79	80	end
...	...	@@ -87,6 +88,7 @@ module Gitlab
87	88	# Example Request:
88	89	# PUT /projects/:id/add_users
89	90	put ":id/users" do
	91	+ authorize! :admin_project, user_project
90	92	user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
91	93	nil
92	94	end
...	...	@@ -99,6 +101,7 @@ module Gitlab
99	101	# Example Request:
100	102	# DELETE /projects/:id/users
101	103	delete ":id/users" do
	104	+ authorize! :admin_project, user_project
102	105	user_project.delete_users_ids_from_team(params[:user_ids].values)
103	106	nil
104	107	end
...	...	@@ -186,6 +189,8 @@ module Gitlab
186	189	# PUT /projects/:id/snippets/:snippet_id
187	190	put ":id/snippets/:snippet_id" do
188	191	@snippet = user_project.snippets.find(params[:snippet_id])
	192	+ authorize! :modify_snippet, @snippet
	193	+
189	194	parameters = {
190	195	title: (params[:title] \|\| @snippet.title),
191	196	file_name: (params[:file_name] \|\| @snippet.file_name),
...	...	@@ -209,6 +214,8 @@ module Gitlab
209	214	# DELETE /projects/:id/snippets/:snippet_id
210	215	delete ":id/snippets/:snippet_id" do
211	216	@snippet = user_project.snippets.find(params[:snippet_id])
	217	+ authorize! :modify_snippet, @snippet
	218	+
212	219	@snippet.destroy
213	220	end
214	221
...	...