Commit 8c40aab1 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Abilities extended. Resources security improved

parent af82b677
...@@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base ...@@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base
return render_404 unless can?(current_user, action, project) return render_404 unless can?(current_user, action, project)
end end
def authorize_code_access!
return render_404 unless can?(current_user, :download_code, project)
end
def access_denied! def access_denied!
render_404 render_404
end end
......
...@@ -7,6 +7,7 @@ class CommitsController < ApplicationController ...@@ -7,6 +7,7 @@ class CommitsController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_code_access!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :load_refs, :only => :index # load @branch, @tag & @ref before_filter :load_refs, :only => :index # load @branch, @tag & @ref
before_filter :render_full_content before_filter :render_full_content
......
...@@ -126,12 +126,11 @@ class IssuesController < ApplicationController ...@@ -126,12 +126,11 @@ class IssuesController < ApplicationController
end end
def authorize_modify_issue! def authorize_modify_issue!
can?(current_user, :modify_issue, @issue) || return render_404 unless can?(current_user, :modify_issue, @issue)
@issue.assignee == current_user
end end
def authorize_admin_issue! def authorize_admin_issue!
can?(current_user, :admin_issue, @issue) return render_404 unless can?(current_user, :admin_issue, @issue)
end end
def module_enabled def module_enabled
......
...@@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController ...@@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController
end end
def authorize_modify_merge_request! def authorize_modify_merge_request!
can?(current_user, :modify_merge_request, @merge_request) || return render_404 unless can?(current_user, :modify_merge_request, @merge_request)
@merge_request.assignee == current_user
end end
def authorize_admin_merge_request! def authorize_admin_merge_request!
can?(current_user, :admin_merge_request, @merge_request) return render_404 unless can?(current_user, :admin_merge_request, @merge_request)
end end
def module_enabled def module_enabled
......
...@@ -4,6 +4,7 @@ class RefsController < ApplicationController ...@@ -4,6 +4,7 @@ class RefsController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_code_access!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :ref before_filter :ref
......
...@@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController ...@@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_code_access!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :render_full_content before_filter :render_full_content
......
class SnippetsController < ApplicationController class SnippetsController < ApplicationController
before_filter :authenticate_user! before_filter :authenticate_user!
before_filter :project before_filter :project
before_filter :snippet, :only => [:show, :edit, :destroy, :update]
layout "project" layout "project"
# Authorize # Authorize
...@@ -41,11 +42,9 @@ class SnippetsController < ApplicationController ...@@ -41,11 +42,9 @@ class SnippetsController < ApplicationController
end end
def edit def edit
@snippet = @project.snippets.find(params[:id])
end end
def update def update
@snippet = @project.snippets.find(params[:id])
@snippet.update_attributes(params[:snippet]) @snippet.update_attributes(params[:snippet])
if @snippet.valid? if @snippet.valid?
...@@ -56,15 +55,12 @@ class SnippetsController < ApplicationController ...@@ -56,15 +55,12 @@ class SnippetsController < ApplicationController
end end
def show def show
@snippet = @project.snippets.find(params[:id])
@notes = @snippet.notes @notes = @snippet.notes
@note = @project.notes.new(:noteable => @snippet) @note = @project.notes.new(:noteable => @snippet)
render_full_content render_full_content
end end
def destroy def destroy
@snippet = @project.snippets.find(params[:id])
return access_denied! unless can?(current_user, :admin_snippet, @snippet) return access_denied! unless can?(current_user, :admin_snippet, @snippet)
@snippet.destroy @snippet.destroy
...@@ -73,12 +69,15 @@ class SnippetsController < ApplicationController ...@@ -73,12 +69,15 @@ class SnippetsController < ApplicationController
end end
protected protected
def snippet
@snippet ||= @project.snippets.find(params[:id])
end
def authorize_modify_snippet! def authorize_modify_snippet!
can?(current_user, :modify_snippet, @snippet) return render_404 unless can?(current_user, :modify_snippet, @snippet)
end end
def authorize_admin_snippet! def authorize_admin_snippet!
can?(current_user, :admin_snippet, @snippet) return render_404 unless can?(current_user, :admin_snippet, @snippet)
end end
end end
...@@ -2,7 +2,7 @@ class WikisController < ApplicationController ...@@ -2,7 +2,7 @@ class WikisController < ApplicationController
before_filter :project before_filter :project
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_wiki! before_filter :authorize_read_wiki!
before_filter :authorize_write_wiki!, :except => [:show, :destroy] before_filter :authorize_write_wiki!, :only => [:edit, :create, :history]
before_filter :authorize_admin_wiki!, :only => :destroy before_filter :authorize_admin_wiki!, :only => :destroy
layout "project" layout "project"
...@@ -12,6 +12,11 @@ class WikisController < ApplicationController ...@@ -12,6 +12,11 @@ class WikisController < ApplicationController
else else
@wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last @wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
end end
unless @wiki
return render_404 unless can?(current_user, :write_wiki, @project)
end
respond_to do |format| respond_to do |format|
if @wiki if @wiki
format.html format.html
...@@ -51,18 +56,4 @@ class WikisController < ApplicationController ...@@ -51,18 +56,4 @@ class WikisController < ApplicationController
format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" } format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
end end
end end
protected
def authorize_read_wiki!
can?(current_user, :read_wiki, @project)
end
def authorize_write_wiki!
can?(current_user, :write_wiki, @project)
end
def authorize_admin_wiki!
can?(current_user, :admin_wiki, @project)
end
end end
...@@ -5,7 +5,7 @@ class Ability ...@@ -5,7 +5,7 @@ class Ability
when "Issue" then issue_abilities(object, subject) when "Issue" then issue_abilities(object, subject)
when "Note" then note_abilities(object, subject) when "Note" then note_abilities(object, subject)
when "Snippet" then snippet_abilities(object, subject) when "Snippet" then snippet_abilities(object, subject)
when "Wiki" then wiki_abilities(object, subject) when "MergeRequest" then merge_request_abilities(object, subject)
else [] else []
end end
end end
...@@ -23,13 +23,13 @@ class Ability ...@@ -23,13 +23,13 @@ class Ability
:read_note, :read_note,
:write_project, :write_project,
:write_issue, :write_issue,
:write_snippet,
:write_merge_request,
:write_note :write_note
] if project.guest_access_for?(user) ] if project.guest_access_for?(user)
rules << [ rules << [
:download_code, :download_code,
:write_merge_request,
:write_snippet
] if project.report_access_for?(user) ] if project.report_access_for?(user)
rules << [ rules << [
...@@ -39,7 +39,7 @@ class Ability ...@@ -39,7 +39,7 @@ class Ability
rules << [ rules << [
:modify_issue, :modify_issue,
:modify_snippet, :modify_snippet,
:modify_wiki, :modify_merge_request,
:admin_project, :admin_project,
:admin_issue, :admin_issue,
:admin_snippet, :admin_snippet,
...@@ -47,7 +47,7 @@ class Ability ...@@ -47,7 +47,7 @@ class Ability
:admin_merge_request, :admin_merge_request,
:admin_note, :admin_note,
:admin_wiki :admin_wiki
] if project.master_access_for?(user) ] if project.master_access_for?(user) || project.owner == user
rules.flatten rules.flatten
...@@ -63,6 +63,12 @@ class Ability ...@@ -63,6 +63,12 @@ class Ability
:"modify_#{name}", :"modify_#{name}",
:"admin_#{name}" :"admin_#{name}"
] ]
elsif subject.respond_to?(:assignee) && subject.assignee == user
[
:"read_#{name}",
:"write_#{name}",
:"modify_#{name}",
]
else else
subject.respond_to?(:project) ? subject.respond_to?(:project) ?
project_abilities(user, subject.project) : [] project_abilities(user, subject.project) : []
......
...@@ -188,7 +188,7 @@ class Project < ActiveRecord::Base ...@@ -188,7 +188,7 @@ class Project < ActiveRecord::Base
elsif access.include?(:write) elsif access.include?(:write)
{ :project_access => UsersProject::DEVELOPER } { :project_access => UsersProject::DEVELOPER }
else else
{ :project_access => UsersProject::GUEST } { :project_access => UsersProject::REPORTER }
end end
opts = { :user => user } opts = { :user => user }
opts.merge!(access) opts.merge!(access)
......
...@@ -4,15 +4,17 @@ ...@@ -4,15 +4,17 @@
%h4 Guest %h4 Guest
%ul %ul
%li Create new issue %li Create new issue
%li Create new merge request %li Leave comments
%li Write on project wall %li Write on project wall
%h4 Reporter %h4 Reporter
%ul %ul
%li Pull project code %li Pull project code
%li Download project
%li Create new issue %li Create new issue
%li Create new merge request %li Create new merge request
%li Write on project wall %li Write on project wall
%li Create a code snippets
%h4 Developer %h4 Developer
...@@ -25,6 +27,7 @@ ...@@ -25,6 +27,7 @@
%li Create new issue %li Create new issue
%li Create new merge request %li Create new merge request
%li Write on project wall %li Write on project wall
%li Write a wiki
%h4 Master %h4 Master
%ul %ul
......
%li.wll{ :id => dom_id(issue), :class => "issue #{issue.critical ? "critical" : ""}", :url => project_issue_path(issue.project, issue) } %li.wll{ :id => dom_id(issue), :class => "issue #{issue.critical ? "critical" : ""}", :url => project_issue_path(issue.project, issue) }
.right .right
- if can? current_user, :write_issue, issue - if can? current_user, :modify_issue, issue
- if issue.closed - if issue.closed
= link_to 'Reopen', project_issue_path(issue.project, issue, :issue => {:closed => false }, :status_only => true), :method => :put, :class => "btn small", :remote => true = link_to 'Reopen', project_issue_path(issue.project, issue, :issue => {:closed => false }, :status_only => true), :method => :put, :class => "btn small", :remote => true
- else - else
= link_to 'Resolve', project_issue_path(issue.project, issue, :issue => {:closed => true }, :status_only => true), :method => :put, :class => "success btn small", :remote => true = link_to 'Resolve', project_issue_path(issue.project, issue, :issue => {:closed => true }, :status_only => true), :method => :put, :class => "success btn small", :remote => true
- if can? current_user, :write_issue, issue
= link_to 'Edit', edit_project_issue_path(issue.project, issue), :class => "btn small edit-issue-link", :remote => true = link_to 'Edit', edit_project_issue_path(issue.project, issue), :class => "btn small edit-issue-link", :remote => true
-#- if can?(current_user, :admin_issue, @project) || issue.author == current_user -#- if can?(current_user, :admin_issue, @project) || issue.author == current_user
= link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}" = link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}"
......
...@@ -4,8 +4,9 @@ ...@@ -4,8 +4,9 @@
Project Project
- if @project.repo_exists? - if @project.repo_exists?
= link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class - if can? current_user, :download_code, @project
= link_to "Commits", project_commits_path(@project), :class => commit_tab_class = link_to "Files", tree_project_ref_path(@project, @project.root_ref), :class => tree_tab_class
= link_to "Commits", project_commits_path(@project), :class => commit_tab_class
= link_to "Network", graph_project_path(@project), :class => current_page?(:controller => "projects", :action => "graph", :id => @project) ? "current" : nil = link_to "Network", graph_project_path(@project), :class => current_page?(:controller => "projects", :action => "graph", :id => @project) ? "current" : nil
- if @project.issues_enabled - if @project.issues_enabled
......
...@@ -10,12 +10,11 @@ ...@@ -10,12 +10,11 @@
= @merge_request.created_at.stamp("Aug 21, 2011") = @merge_request.created_at.stamp("Aug 21, 2011")
%span.right %span.right
- if can?(current_user, :admin_project, @project) || @merge_request.author == current_user - if can?(current_user, :modify_merge_request, @merge_request)
- if @merge_request.closed - if @merge_request.closed
= link_to 'Reopen', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => false }, :status_only => true), :method => :put, :class => "btn" = link_to 'Reopen', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => false }, :status_only => true), :method => :put, :class => "btn"
- else - else
= link_to 'Close', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => true }, :status_only => true), :method => :put, :class => "btn", :title => "Close merge request" = link_to 'Close', project_merge_request_path(@project, @merge_request, :merge_request => {:closed => true }, :status_only => true), :method => :put, :class => "btn", :title => "Close merge request"
- if can?(current_user, :admin_project, @project) || @merge_request.author == current_user
= link_to edit_project_merge_request_path(@project, @merge_request), :class => "btn small" do = link_to edit_project_merge_request_path(@project, @merge_request), :class => "btn small" do
Edit Edit
......
...@@ -11,23 +11,19 @@ ...@@ -11,23 +11,19 @@
%p %p
- if @project.issues_enabled - if @project.issues_enabled
%span %span
Assigned issues: Assigned Issues:
= current_user.assigned_issues.opened.count = current_user.assigned_issues.opened.count
%br %br
- if @project.merge_requests_enabled - if @project.merge_requests_enabled
%span %span
Assigned merge request: Assigned Requests:
= current_user.assigned_merge_requests.opened.count
%br
%span
Your merge requests:
= current_user.assigned_merge_requests.opened.count = current_user.assigned_merge_requests.opened.count
%br %br
%br %br
- if @project.merge_requests_enabled - if @project.merge_requests_enabled && can?(current_user, :write_merge_request, @project)
= link_to new_project_merge_request_path(@project), :title => "New Merge Request", :class => "btn small padded" do = link_to new_project_merge_request_path(@project), :title => "New Merge Request", :class => "btn small padded" do
Merge Request Merge Request
- if @project.issues_enabled - if @project.issues_enabled && can?(current_user, :write_issue, @project)
= link_to new_project_issue_path(@project), :title => "New Issue", :class => "btn small" do = link_to new_project_issue_path(@project), :title => "New Issue", :class => "btn small" do
Issue Issue
......
...@@ -4,13 +4,13 @@ ...@@ -4,13 +4,13 @@
- if can? current_user, :write_wiki, @project - if can? current_user, :write_wiki, @project
= link_to history_project_wiki_path(@project, @wiki), :class => "btn small padded" do = link_to history_project_wiki_path(@project, @wiki), :class => "btn small padded" do
History History
= link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do = link_to edit_project_wiki_path(@project, @wiki), :class => "btn small" do
Edit Edit
%hr %hr
= markdown_to_html @wiki.content = markdown_to_html @wiki.content
%p.time Last edited by #{@wiki.user.name}, in #{time_ago_in_words @wiki.created_at} %p.time Last edited by #{@wiki.user.name}, in #{time_ago_in_words @wiki.created_at}
- if can? current_user, :write_wiki, @project - if can? current_user, :admin_wiki, @project
= link_to project_wiki_path(@project, @wiki), :confirm => "Are you sure you want to delete this page?", :method => :delete do = link_to project_wiki_path(@project, @wiki), :confirm => "Are you sure you want to delete this page?", :method => :delete do
Delete this page Delete this page
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment