Security for online editor. Replace dev_access?, master_access? with can? method usage

0189ee97 · randx · 5ec1ad8b · 0189ee97 · 0189ee97 · 0189ee97
Commit 0189ee97 authored Oct 21, 2012 by randx
7 changed files
--- a/app/controllers/tree_controller.rb
+++ b/app/controllers/tree_controller.rb
@@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
    unless @tree.is_blob? && @tree.text?
      redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
    end
+
+    allowed = if project.protected_branch? @ref
+                can?(current_user, :push_code_to_protected_branches, project)
+              else
+                can?(current_user, :push_code, project)
+              end
+
+    return access_denied! unless allowed
  end
 end
--- a/app/helpers/tree_helper.rb
+++ b/app/helpers/tree_helper.rb
@@ -59,4 +59,12 @@ module TreeHelper
  def tree_join(*args)
    File.join(*args)
  end
+
+  def allowed_tree_edit?
+    if @project.protected_branch? @ref
+      can?(current_user, :push_code_to_protected_branches, @project)
+    else
+      can?(current_user, :push_code, @project)
+    end
+  end
 end
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -35,9 +35,14 @@ class Ability
      ] if project.report_access_for?(user)

      rules << [
-        :write_wiki
+        :write_wiki,
+        :push_code
      ] if project.dev_access_for?(user)

+      rules << [
+        :push_code_to_protected_branches
+      ] if project.master_access_for?(user)
+
      rules << [
        :modify_issue,
        :modify_snippet,

--- a/app/roles/authority.rb
+++ b/app/roles/authority.rb
@@ -53,6 +53,6 @@ module Authority
  end

  def master_access_for?(user)
-    !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty? || owner_id == user.id
+    !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty?
  end
 end
--- a/app/roles/repository.rb
+++ b/app/roles/repository.rb
@@ -181,4 +181,9 @@ module Repository
  def http_url_to_repo
    http_url = [Gitlab.config.url, "/", path, ".git"].join('')
  end
+
+  # Check if current branch name is marked as protected in the system
+  def protected_branch? branch_name
+    protected_branches.map(&:name).include?(branch_name)
+  end
 end
--- a/app/views/tree/_blob_actions.html.haml
+++ b/app/views/tree/_blob_actions.html.haml
 .btn-group.tree-btn-group
  -# only show edit link for text files
  - if @tree.text?
-    = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small"
+    = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small", disabled: !allowed_tree_edit?
  = link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank"
  -# only show normal/blame view links for text files
  - if @tree.text?

--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
 module Grack
  class Auth < Rack::Auth::Basic
+    attr_accessor :user, :project

    def valid?
      # Authentication with username and password
      email, password = @auth.credentials
-      user = User.find_by_email(email)
+      self.user = User.find_by_email(email)
      return false unless user.try(:valid_password?, password)

      # Set GL_USER env variable
@@ -18,28 +19,39 @@ module Grack

      # Find project by PATH_INFO from env
      if m = /^\/([\w-]+).git/.match(@request.path_info).to_a
-        return false unless project = Project.find_by_path(m.last)
+        self.project = Project.find_by_path(m.last)
+        return false unless project
      end

      # Git upload and receive
      if @request.get?
-        true
+        validate_get_request
      elsif @request.post?
+        validate_post_request
+      else
+        false
+      end
+    end
+
+    def validate_get_request
+      true
+    end
+
+    def validate_post_request
      if @request.path_info.end_with?('git-upload-pack')
-          return project.dev_access_for?(user)
+        can?(user, :push_code, project)
      elsif @request.path_info.end_with?('git-receive-pack')
-          if project.protected_branches.map(&:name).include?(current_ref)
-            project.master_access_for?(user)
+        action = if project.protected_branch?(current_ref)
+                   :push_code_to_protected_branches
                 else
-            project.dev_access_for?(user)
+                   :push_code
                 end
+
+        can?(user, action, project)
      else
        false
      end
-      else
-        false
    end
-    end# valid?

    def current_ref
      if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/