Skip to content

G
gitlab-ce
Commit 9df6f7bf authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets
Browse files
Options

authorized_projects and authorized_groups methods for user

parent 83f2a387
Hide whitespace changes
Inline Side-by-side
Showing with 26 additions and 16 deletions
app/controllers/dashboard_controller.rb
View file @ 9df6f7bf
......@@ -5,8 +5,10 @@ class DashboardController < ApplicationController
before_filter :event_filter, only: :index
def index
@groups = current_user.accessed_groups
@groups = current_user.authorized_groups
@projects = @projects.page(params[:page]).per(30)
@events = Event.in_projects(current_user.project_ids)
@events = @event_filter.apply_filter(@events)
@events = @events.limit(20).offset(params[:offset] || 0)
......@@ -43,7 +45,7 @@ class DashboardController < ApplicationController
protected
def projects
@projects = current_user.projects_sorted_by_activity
@projects = current_user.authorized_projects.sorted_by_activity
end
def event_filter
......
app/controllers/groups_controller.rb
View file @ 9df6f7bf
......@@ -5,6 +5,9 @@ class GroupsController < ApplicationController
before_filter :group
before_filter :projects
# Authorize
before_filter :authorize_read_group!
def show
@events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0)
@last_push = current_user.recent_push
......@@ -54,16 +57,17 @@ class GroupsController < ApplicationController
end
def projects
@projects ||= begin
if can?(current_user, :manage_group, @group)
@group.projects
else
current_user.projects.where(namespace_id: @group.id)
end.sorted_by_activity.all
end
@projects ||= group.projects.authorized_for(current_user).sorted_by_activity
end
def project_ids
projects.map(&:id)
end
# Dont allow unauthorized access to group
def authorize_read_group!
unless projects.present? or can?(current_user, :manage_group, @group)
return render_404
end
end
end
app/models/project.rb
View file @ 9df6f7bf
......@@ -76,6 +76,11 @@ class Project < ActiveRecord::Base
scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
class << self
def authorized_for user
projects = includes(:users_projects, :namespace)
projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
end
def active
joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC")
end
......@@ -285,9 +290,4 @@ class Project < ActiveRecord::Base
merge_requests
end
end
def self.authorized_for user
projects = includes(:users_projects, :namespace)
projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
end
end
app/models/user.rb
View file @ 9df6f7bf
......@@ -124,11 +124,15 @@ class User < ActiveRecord::Base
end
end
def accessed_groups
@accessed_groups ||= begin
def authorized_groups
@authorized_groups ||= begin
groups = Group.where(id: self.projects.pluck(:namespace_id)).all
groups = groups + self.groups
groups.uniq
end
end
def authorized_projects
Project.authorized_for(self)
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7