Commit b565f33472d960e37ed41a8a0c09fbbc3ea65f1e

Authored by randx
1 parent 80685596

Auth for API

lib/api/helpers.rb
... ... @@ -21,5 +21,21 @@ module Gitlab
21 21 def authenticate!
22 22 error!({'message' => '401 Unauthorized'}, 401) unless current_user
23 23 end
  24 +
  25 + def authorize! action, subject
  26 + unless abilities.allowed?(current_user, action, subject)
  27 + error!({'message' => '403 Forbidden'}, 403)
  28 + end
  29 + end
  30 +
  31 + private
  32 +
  33 + def abilities
  34 + @abilities ||= begin
  35 + abilities = Six.new
  36 + abilities << Ability
  37 + abilities
  38 + end
  39 + end
24 40 end
25 41 end
... ...
lib/api/issues.rb
... ... @@ -79,6 +79,8 @@ module Gitlab
79 79 # PUT /projects/:id/issues/:issue_id
80 80 put ":id/issues/:issue_id" do
81 81 @issue = user_project.issues.find(params[:issue_id])
  82 + authorize! :modify_issue, @issue
  83 +
82 84 parameters = {
83 85 title: (params[:title] || @issue.title),
84 86 description: (params[:description] || @issue.description),
... ...
lib/api/milestones.rb
... ... @@ -61,6 +61,8 @@ module Gitlab
61 61 # Example Request:
62 62 # PUT /projects/:id/milestones/:milestone_id
63 63 put ":id/milestones/:milestone_id" do
  64 + authorize! :admin_milestone, user_project
  65 +
64 66 @milestone = user_project.milestones.find(params[:milestone_id])
65 67 parameters = {
66 68 title: (params[:title] || @milestone.title),
... ...
lib/api/projects.rb
... ... @@ -74,6 +74,7 @@ module Gitlab
74 74 # Example Request:
75 75 # POST /projects/:id/users
76 76 post ":id/users" do
  77 + authorize! :admin_project, user_project
77 78 user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
78 79 nil
79 80 end
... ... @@ -87,6 +88,7 @@ module Gitlab
87 88 # Example Request:
88 89 # PUT /projects/:id/add_users
89 90 put ":id/users" do
  91 + authorize! :admin_project, user_project
90 92 user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
91 93 nil
92 94 end
... ... @@ -99,6 +101,7 @@ module Gitlab
99 101 # Example Request:
100 102 # DELETE /projects/:id/users
101 103 delete ":id/users" do
  104 + authorize! :admin_project, user_project
102 105 user_project.delete_users_ids_from_team(params[:user_ids].values)
103 106 nil
104 107 end
... ... @@ -186,6 +189,8 @@ module Gitlab
186 189 # PUT /projects/:id/snippets/:snippet_id
187 190 put ":id/snippets/:snippet_id" do
188 191 @snippet = user_project.snippets.find(params[:snippet_id])
  192 + authorize! :modify_snippet, @snippet
  193 +
189 194 parameters = {
190 195 title: (params[:title] || @snippet.title),
191 196 file_name: (params[:file_name] || @snippet.file_name),
... ... @@ -209,6 +214,8 @@ module Gitlab
209 214 # DELETE /projects/:id/snippets/:snippet_id
210 215 delete ":id/snippets/:snippet_id" do
211 216 @snippet = user_project.snippets.find(params[:snippet_id])
  217 + authorize! :modify_snippet, @snippet
  218 +
212 219 @snippet.destroy
213 220 end
214 221  
... ...