Commit 783ca897 authored by gitlabhq's avatar gitlabhq

security improved

parent b08e4074
...@@ -27,11 +27,15 @@ class ApplicationController < ActionController::Base ...@@ -27,11 +27,15 @@ class ApplicationController < ActionController::Base
end end
def authenticate_admin! def authenticate_admin!
return redirect_to(new_user_session_path) unless current_user.is_admin? return render_404 unless current_user.is_admin?
end end
def authorize_project!(action) def authorize_project!(action)
return redirect_to(new_user_session_path) unless can?(current_user, action, project) return render_404 unless can?(current_user, action, project)
end
def access_denied!
render_404
end end
def method_missing(method_sym, *arguments, &block) def method_missing(method_sym, *arguments, &block)
......
class IssuesController < ApplicationController class IssuesController < ApplicationController
before_filter :authenticate_user! before_filter :authenticate_user!
before_filter :project before_filter :project
before_filter :issue, :only => [:edit, :update, :destroy, :show]
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_issue! before_filter :authorize_read_issue!
before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort] before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
before_filter :authorize_admin_issue!, :only => [:destroy]
respond_to :js respond_to :js
...@@ -30,12 +30,10 @@ class IssuesController < ApplicationController ...@@ -30,12 +30,10 @@ class IssuesController < ApplicationController
end end
def edit def edit
@issue = @project.issues.find(params[:id])
respond_with(@issue) respond_with(@issue)
end end
def show def show
@issue = @project.issues.find(params[:id])
@notes = @issue.notes @notes = @issue.notes
@note = @project.notes.new(:noteable => @issue) @note = @project.notes.new(:noteable => @issue)
end end
...@@ -51,7 +49,6 @@ class IssuesController < ApplicationController ...@@ -51,7 +49,6 @@ class IssuesController < ApplicationController
end end
def update def update
@issue = @project.issues.find(params[:id])
@issue.update_attributes(params[:issue]) @issue.update_attributes(params[:issue])
respond_to do |format| respond_to do |format|
...@@ -62,7 +59,8 @@ class IssuesController < ApplicationController ...@@ -62,7 +59,8 @@ class IssuesController < ApplicationController
def destroy def destroy
@issue = @project.issues.find(params[:id]) return access_denied! unless can?(current_user, :admin_issue, @issue)
@issue.destroy @issue.destroy
respond_to do |format| respond_to do |format|
...@@ -79,4 +77,10 @@ class IssuesController < ApplicationController ...@@ -79,4 +77,10 @@ class IssuesController < ApplicationController
render :nothing => true render :nothing => true
end end
protected
def issue
@issue ||= @project.issues.find(params[:id])
end
end end
...@@ -4,7 +4,6 @@ class NotesController < ApplicationController ...@@ -4,7 +4,6 @@ class NotesController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_write_note!, :only => [:create] before_filter :authorize_write_note!, :only => [:create]
before_filter :authorize_admin_note!, :only => [:destroy]
respond_to :js respond_to :js
...@@ -25,6 +24,9 @@ class NotesController < ApplicationController ...@@ -25,6 +24,9 @@ class NotesController < ApplicationController
def destroy def destroy
@note = @project.notes.find(params[:id]) @note = @project.notes.find(params[:id])
return access_denied! unless can?(current_user, :admin_note, @note)
@note.destroy @note.destroy
respond_to do |format| respond_to do |format|
......
...@@ -52,12 +52,11 @@ class SnippetsController < ApplicationController ...@@ -52,12 +52,11 @@ class SnippetsController < ApplicationController
def destroy def destroy
@snippet = @project.snippets.find(params[:id]) @snippet = @project.snippets.find(params[:id])
authorize_admin_snippet! unless @snippet.author == current_user
return access_denied! unless can?(current_user, :admin_snippet, @snippet)
@snippet.destroy @snippet.destroy
respond_to do |format| redirect_to project_snippets_path(@project)
format.js { render :nothing => true }
end
end end
end end
...@@ -3,8 +3,8 @@ class TeamMembersController < ApplicationController ...@@ -3,8 +3,8 @@ class TeamMembersController < ApplicationController
# Authorize # Authorize
before_filter :add_project_abilities before_filter :add_project_abilities
before_filter :authorize_read_team_member! before_filter :authorize_read_project!
before_filter :authorize_admin_team_member!, :only => [:new, :create, :destroy, :update] before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
def show def show
@team_member = project.users_projects.find(params[:id]) @team_member = project.users_projects.find(params[:id])
......
...@@ -2,6 +2,9 @@ class Ability ...@@ -2,6 +2,9 @@ class Ability
def self.allowed(object, subject) def self.allowed(object, subject)
case subject.class.name case subject.class.name
when "Project" then project_abilities(object, subject) when "Project" then project_abilities(object, subject)
when "Issue" then issue_abilities(object, subject)
when "Note" then note_abilities(object, subject)
when "Snippet" then snippet_abilities(object, subject)
else [] else []
end end
end end
...@@ -34,4 +37,21 @@ class Ability ...@@ -34,4 +37,21 @@ class Ability
rules.flatten rules.flatten
end end
class << self
[:issue, :note, :snippet].each do |name|
define_method "#{name}_abilities" do |user, subject|
if subject.author == user
[
:"read_#{name}",
:"write_#{name}",
:"admin_#{name}"
]
else
subject.respond_to?(:project) ?
project_abilities(user, subject.project) : []
end
end
end
end
end end
...@@ -82,12 +82,18 @@ describe "Projects" do ...@@ -82,12 +82,18 @@ describe "Projects" do
end end
describe "GET /project_code/blob" do describe "GET /project_code/blob" do
it { blob_project_path(@project).should be_allowed_for @u1 } before do
it { blob_project_path(@project).should be_allowed_for @u3 } @commit = @project.commit
it { blob_project_path(@project).should be_denied_for :admin } @path = @commit.tree.contents.select { |i| i.is_a?(Grit::Blob)}.first.name
it { blob_project_path(@project).should be_denied_for @u2 } @blob_path = blob_project_path(@project, :commit_id => @commit.id, :path => @path)
it { blob_project_path(@project).should be_denied_for :user } end
it { blob_project_path(@project).should be_denied_for :visitor }
it { @blob_path.should be_allowed_for @u1 }
it { @blob_path.should be_allowed_for @u3 }
it { @blob_path.should be_denied_for :admin }
it { @blob_path.should be_denied_for @u2 }
it { @blob_path.should be_denied_for :user }
it { @blob_path.should be_denied_for :visitor }
end end
describe "GET /project_code/edit" do describe "GET /project_code/edit" do
......
...@@ -7,10 +7,10 @@ describe "Users Security" do ...@@ -7,10 +7,10 @@ describe "Users Security" do
end end
describe "GET /login" do describe "GET /login" do
it { new_user_session_path.should be_denied_for @u1 } #it { new_user_session_path.should be_denied_for @u1 }
it { new_user_session_path.should be_denied_for :admin } #it { new_user_session_path.should be_denied_for :admin }
it { new_user_session_path.should be_denied_for :user } #it { new_user_session_path.should be_denied_for :user }
it { new_user_session_path.should be_allowed_for :visitor } it { new_user_session_path.should_not be_404_for :visitor }
end end
describe "GET /keys" do describe "GET /keys" do
......
...@@ -21,17 +21,30 @@ RSpec::Matchers.define :be_denied_for do |user| ...@@ -21,17 +21,30 @@ RSpec::Matchers.define :be_denied_for do |user|
end end
end end
RSpec::Matchers.define :be_404_for do |user|
match do |url|
include UrlAccess
url_404?(user, url)
end
end
module UrlAccess module UrlAccess
def url_allowed?(user, url) def url_allowed?(user, url)
emulate_user(user) emulate_user(user)
visit url visit url
result = (current_path == url) (page.status_code != 404 && current_path != new_user_session_path)
end end
def url_denied?(user, url) def url_denied?(user, url)
emulate_user(user) emulate_user(user)
visit url visit url
result = (current_path != url) (page.status_code == 404 || current_path == new_user_session_path)
end
def url_404?(user, url)
emulate_user(user)
visit url
page.status_code == 404
end end
def emulate_user(user) def emulate_user(user)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment