Commit 9ea5766c authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Improve permissions on tags/branches

parent 29306dd6
...@@ -91,6 +91,10 @@ class ApplicationController < ActionController::Base ...@@ -91,6 +91,10 @@ class ApplicationController < ActionController::Base
return access_denied! unless can?(current_user, :download_code, project) or project.public? return access_denied! unless can?(current_user, :download_code, project) or project.public?
end end
def authorize_push!
return access_denied! unless can?(current_user, :push_code, project)
end
def authorize_create_team! def authorize_create_team!
return access_denied! unless can?(current_user, :create_team, nil) return access_denied! unless can?(current_user, :create_team, nil)
end end
......
...@@ -3,7 +3,9 @@ class Projects::BranchesController < Projects::ApplicationController ...@@ -3,7 +3,9 @@ class Projects::BranchesController < Projects::ApplicationController
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :authorize_admin_project!, only: [:destroy, :create] before_filter :authorize_code_access!
before_filter :authorize_push!, only: [:create]
before_filter :authorize_admin_project!, only: [:destroy]
def index def index
@branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30) @branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30)
......
class Projects::TagsController < Projects::ApplicationController class Projects::TagsController < Projects::ApplicationController
# Authorize # Authorize
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_code_access!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :authorize_admin_project!, only: [:destroy, :create] before_filter :authorize_code_access!
before_filter :authorize_push!, only: [:create]
before_filter :authorize_admin_project!, only: [:destroy]
def index def index
@tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30) @tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30)
......
...@@ -10,6 +10,7 @@ ...@@ -10,6 +10,7 @@
%hr %hr
- if can? current_user, :push_code, @project
= link_to new_project_branch_path(@project), class: 'btn btn-create' do = link_to new_project_branch_path(@project), class: 'btn btn-create' do
%i.icon-add-sign %i.icon-add-sign
New branch New branch
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment