Commit b565f334 authored by randx's avatar randx

Auth for API

parent 80685596
...@@ -21,5 +21,21 @@ module Gitlab ...@@ -21,5 +21,21 @@ module Gitlab
def authenticate! def authenticate!
error!({'message' => '401 Unauthorized'}, 401) unless current_user error!({'message' => '401 Unauthorized'}, 401) unless current_user
end end
def authorize! action, subject
unless abilities.allowed?(current_user, action, subject)
error!({'message' => '403 Forbidden'}, 403)
end
end
private
def abilities
@abilities ||= begin
abilities = Six.new
abilities << Ability
abilities
end
end
end end
end end
...@@ -79,6 +79,8 @@ module Gitlab ...@@ -79,6 +79,8 @@ module Gitlab
# PUT /projects/:id/issues/:issue_id # PUT /projects/:id/issues/:issue_id
put ":id/issues/:issue_id" do put ":id/issues/:issue_id" do
@issue = user_project.issues.find(params[:issue_id]) @issue = user_project.issues.find(params[:issue_id])
authorize! :modify_issue, @issue
parameters = { parameters = {
title: (params[:title] || @issue.title), title: (params[:title] || @issue.title),
description: (params[:description] || @issue.description), description: (params[:description] || @issue.description),
......
...@@ -61,6 +61,8 @@ module Gitlab ...@@ -61,6 +61,8 @@ module Gitlab
# Example Request: # Example Request:
# PUT /projects/:id/milestones/:milestone_id # PUT /projects/:id/milestones/:milestone_id
put ":id/milestones/:milestone_id" do put ":id/milestones/:milestone_id" do
authorize! :admin_milestone, user_project
@milestone = user_project.milestones.find(params[:milestone_id]) @milestone = user_project.milestones.find(params[:milestone_id])
parameters = { parameters = {
title: (params[:title] || @milestone.title), title: (params[:title] || @milestone.title),
......
...@@ -74,6 +74,7 @@ module Gitlab ...@@ -74,6 +74,7 @@ module Gitlab
# Example Request: # Example Request:
# POST /projects/:id/users # POST /projects/:id/users
post ":id/users" do post ":id/users" do
authorize! :admin_project, user_project
user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access]) user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
nil nil
end end
...@@ -87,6 +88,7 @@ module Gitlab ...@@ -87,6 +88,7 @@ module Gitlab
# Example Request: # Example Request:
# PUT /projects/:id/add_users # PUT /projects/:id/add_users
put ":id/users" do put ":id/users" do
authorize! :admin_project, user_project
user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access]) user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
nil nil
end end
...@@ -99,6 +101,7 @@ module Gitlab ...@@ -99,6 +101,7 @@ module Gitlab
# Example Request: # Example Request:
# DELETE /projects/:id/users # DELETE /projects/:id/users
delete ":id/users" do delete ":id/users" do
authorize! :admin_project, user_project
user_project.delete_users_ids_from_team(params[:user_ids].values) user_project.delete_users_ids_from_team(params[:user_ids].values)
nil nil
end end
...@@ -186,6 +189,8 @@ module Gitlab ...@@ -186,6 +189,8 @@ module Gitlab
# PUT /projects/:id/snippets/:snippet_id # PUT /projects/:id/snippets/:snippet_id
put ":id/snippets/:snippet_id" do put ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id]) @snippet = user_project.snippets.find(params[:snippet_id])
authorize! :modify_snippet, @snippet
parameters = { parameters = {
title: (params[:title] || @snippet.title), title: (params[:title] || @snippet.title),
file_name: (params[:file_name] || @snippet.file_name), file_name: (params[:file_name] || @snippet.file_name),
...@@ -209,6 +214,8 @@ module Gitlab ...@@ -209,6 +214,8 @@ module Gitlab
# DELETE /projects/:id/snippets/:snippet_id # DELETE /projects/:id/snippets/:snippet_id
delete ":id/snippets/:snippet_id" do delete ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id]) @snippet = user_project.snippets.find(params[:snippet_id])
authorize! :modify_snippet, @snippet
@snippet.destroy @snippet.destroy
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment