Authorize build update on per object basis

61dd92aa · Grzegorz Bizon · 93636753 · 61dd92aa · 61dd92aa
Commit 61dd92aa authored May 05, 2017 by Grzegorz Bizon
Showing with 24 additions and 7 deletions

app/controllers/projects/application_controller.rb app/controllers/projects/application_controller.rb +5 -3

app/controllers/projects/builds_controller.rb app/controllers/projects/builds_controller.rb +19 -4

No files found.
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -55,13 +55,15 @@ class Projects::ApplicationController < ApplicationController
      (current_user && current_user.already_forked?(project))
  end

-  def authorize_project!(action)
-    return access_denied! unless can?(current_user, action, project)
+  def authorize_action!(action)
+    unless can?(current_user, action, project)
+      return access_denied!
+    end
  end

  def method_missing(method_sym, *arguments, &block)
    if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
-      authorize_project!($1.to_sym)
+      authorize_action!($1.to_sym)
    else
      super
    end

--- a/app/controllers/projects/builds_controller.rb
+++ b/app/controllers/projects/builds_controller.rb
 class Projects::BuildsController < Projects::ApplicationController
  before_action :build, except: [:index, :cancel_all]
-  before_action :authorize_read_build!, only: [:index, :show, :status, :raw, :trace]
-  before_action :authorize_update_build!, except: [:index, :show, :status, :raw, :trace]
+
+  before_action :authorize_read_build!,
+    only: [:index, :show, :status, :raw, :trace]
+  before_action :authorize_update_build!,
+    except: [:index, :show, :status, :raw, :trace, :cancel_all]
+
  layout 'project'

  def index
@@ -28,7 +32,12 @@ class Projects::BuildsController < Projects::ApplicationController
  end

  def cancel_all
-    @project.builds.running_or_pending.each(&:cancel)
+    return access_denied! unless can?(current_user, :update_build, project)
+
+    @project.builds.running_or_pending.each do |build|
+      build.cancel if can?(current_user, :update_build, build)
+    end
+
    redirect_to namespace_project_builds_path(project.namespace, project)
  end

@@ -107,8 +116,14 @@ class Projects::BuildsController < Projects::ApplicationController

  private

+  def authorize_update_build!
+    return access_denied! unless can?(current_user, :update_build, build)
+  end
+
  def build
-    @build ||= project.builds.find_by!(id: params[:id]).present(current_user: current_user)
+    @build ||= project.builds
+      .find_by!(id: params[:id])
+      .present(current_user: current_user)
  end

  def build_path(build)