Improve permissions on tags/branches

9ea5766c · Dmitriy Zaporozhets · 29306dd6 · 9ea5766c · 9ea5766c · 9ea5766c
Commit 9ea5766c authored Jul 17, 2013 by Dmitriy Zaporozhets
4 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -91,6 +91,10 @@ class ApplicationController < ActionController::Base
    return access_denied! unless can?(current_user, :download_code, project) or project.public?
  end

+  def authorize_push!
+    return access_denied! unless can?(current_user, :push_code, project)
+  end
+
  def authorize_create_team!
    return access_denied! unless can?(current_user, :create_team, nil)
  end

--- a/app/controllers/projects/branches_controller.rb
+++ b/app/controllers/projects/branches_controller.rb
@@ -3,7 +3,9 @@ class Projects::BranchesController < Projects::ApplicationController
  before_filter :authorize_read_project!
  before_filter :require_non_empty_project

-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]

  def index
    @branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30)

--- a/app/controllers/projects/tags_controller.rb
+++ b/app/controllers/projects/tags_controller.rb
 class Projects::TagsController < Projects::ApplicationController
  # Authorize
  before_filter :authorize_read_project!
-  before_filter :authorize_code_access!
  before_filter :require_non_empty_project

-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]

  def index
    @tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30)

--- a/app/views/projects/repositories/_filter.html.haml
+++ b/app/views/projects/repositories/_filter.html.haml
@@ -10,6 +10,7 @@


 %hr
+- if can? current_user, :push_code, @project
  = link_to new_project_branch_path(@project), class: 'btn btn-create' do
    %i.icon-add-sign
    New branch