Commit 16e899ca authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Add brakeman rake task and improve code security

parent cc877c53
...@@ -26,7 +26,7 @@ class Projects::ImportsController < Projects::ApplicationController ...@@ -26,7 +26,7 @@ class Projects::ImportsController < Projects::ApplicationController
def show def show
unless @project.import_in_progress? unless @project.import_in_progress?
if @project.import_finished? if @project.import_finished?
redirect_to(@project) and return redirect_to(project_path(@project)) and return
else else
redirect_to new_namespace_project_import_path(@project.namespace, redirect_to new_namespace_project_import_path(@project.namespace,
@project) && return @project) && return
......
...@@ -15,15 +15,9 @@ class Projects::TeamMembersController < Projects::ApplicationController ...@@ -15,15 +15,9 @@ class Projects::TeamMembersController < Projects::ApplicationController
def create def create
users = User.where(id: params[:user_ids].split(',')) users = User.where(id: params[:user_ids].split(','))
@project.team << [users, params[:access_level]] @project.team << [users, params[:access_level]]
if params[:redirect_to] redirect_to namespace_project_team_index_path(@project.namespace, @project)
redirect_to params[:redirect_to]
else
redirect_to namespace_project_team_index_path(@project.namespace,
@project)
end
end end
def update def update
......
...@@ -97,7 +97,7 @@ class Projects::WikisController < Projects::ApplicationController ...@@ -97,7 +97,7 @@ class Projects::WikisController < Projects::ApplicationController
@project_wiki.wiki @project_wiki.wiki
rescue ProjectWiki::CouldNotCreateWikiError => ex rescue ProjectWiki::CouldNotCreateWikiError => ex
flash[:notice] = "Could not create Wiki Repository at this time. Please try again later." flash[:notice] = "Could not create Wiki Repository at this time. Please try again later."
redirect_to @project redirect_to project_path(@project)
return false return false
end end
......
...@@ -3,22 +3,53 @@ class UploadsController < ApplicationController ...@@ -3,22 +3,53 @@ class UploadsController < ApplicationController
before_filter :authorize_access before_filter :authorize_access
def show def show
model = params[:model].camelize.constantize.find(params[:id]) unless upload_model && upload_mount
uploader = model.send(params[:mounted_as]) return not_found!
end
return not_found! if model.respond_to?(:project) && !can?(current_user, :read_project, model.project) model = upload_model.find(params[:id])
uploader = model.send(upload_mount)
return redirect_to uploader.url unless uploader.file_storage? if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
return not_found!
end
return not_found! unless uploader.file.exists? unless uploader.file_storage?
return redirect_to uploader.url
end
unless uploader.file.exists?
return not_found!
end
disposition = uploader.image? ? 'inline' : 'attachment' disposition = uploader.image? ? 'inline' : 'attachment'
send_file uploader.file.path, disposition: disposition send_file uploader.file.path, disposition: disposition
end end
private
def authorize_access def authorize_access
unless params[:mounted_as] == 'avatar' unless params[:mounted_as] == 'avatar'
authenticate_user! && reject_blocked! authenticate_user! && reject_blocked!
end end
end end
def upload_model
upload_models = {
user: User,
project: Project,
note: Note,
group: Group
}
upload_models[params[:model].to_sym]
end
def upload_mount
upload_mounts = %w(avatar attachment file)
if upload_mounts.include?(params[:mounted_as])
params[:mounted_as]
end
end
end end
desc 'Security check via brakeman' desc 'Security check via brakeman'
task :brakeman do task :brakeman do
if system("brakeman -w3 -z") if system("brakeman --skip-files lib/backup/repository.rb -w3 -z")
exit 0 exit 0
else else
puts 'Security check failed' puts 'Security check failed'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment