Commit 0189ee97 authored by randx's avatar randx

Security for online editor. Replace dev_access?, master_access? with can? method usage

parent 5ec1ad8b
......@@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
unless @tree.is_blob? && @tree.text?
redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
end
allowed = if project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, project)
else
can?(current_user, :push_code, project)
end
return access_denied! unless allowed
end
end
......@@ -59,4 +59,12 @@ module TreeHelper
def tree_join(*args)
File.join(*args)
end
def allowed_tree_edit?
if @project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, @project)
else
can?(current_user, :push_code, @project)
end
end
end
......@@ -35,9 +35,14 @@ class Ability
] if project.report_access_for?(user)
rules << [
:write_wiki
:write_wiki,
:push_code
] if project.dev_access_for?(user)
rules << [
:push_code_to_protected_branches
] if project.master_access_for?(user)
rules << [
:modify_issue,
:modify_snippet,
......
......@@ -53,6 +53,6 @@ module Authority
end
def master_access_for?(user)
!users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty? || owner_id == user.id
!users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty?
end
end
......@@ -181,4 +181,9 @@ module Repository
def http_url_to_repo
http_url = [Gitlab.config.url, "/", path, ".git"].join('')
end
# Check if current branch name is marked as protected in the system
def protected_branch? branch_name
protected_branches.map(&:name).include?(branch_name)
end
end
.btn-group.tree-btn-group
-# only show edit link for text files
- if @tree.text?
= link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small"
= link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small", disabled: !allowed_tree_edit?
= link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank"
-# only show normal/blame view links for text files
- if @tree.text?
......
module Grack
class Auth < Rack::Auth::Basic
attr_accessor :user, :project
def valid?
# Authentication with username and password
email, password = @auth.credentials
user = User.find_by_email(email)
self.user = User.find_by_email(email)
return false unless user.try(:valid_password?, password)
# Set GL_USER env variable
......@@ -18,28 +19,39 @@ module Grack
# Find project by PATH_INFO from env
if m = /^\/([\w-]+).git/.match(@request.path_info).to_a
return false unless project = Project.find_by_path(m.last)
self.project = Project.find_by_path(m.last)
return false unless project
end
# Git upload and receive
if @request.get?
true
validate_get_request
elsif @request.post?
if @request.path_info.end_with?('git-upload-pack')
return project.dev_access_for?(user)
elsif @request.path_info.end_with?('git-receive-pack')
if project.protected_branches.map(&:name).include?(current_ref)
project.master_access_for?(user)
else
project.dev_access_for?(user)
end
else
false
end
validate_post_request
else
false
end
end# valid?
end
def validate_get_request
true
end
def validate_post_request
if @request.path_info.end_with?('git-upload-pack')
can?(user, :push_code, project)
elsif @request.path_info.end_with?('git-receive-pack')
action = if project.protected_branch?(current_ref)
:push_code_to_protected_branches
else
:push_code
end
can?(user, action, project)
else
false
end
end
def current_ref
if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment