Merge pull request #7090 from NARKOZ/api-files-access

fix permissions for files API

1 files changed, 8 insertions, 1 deletions

diff --git a/lib/api/files.rb b/lib/api/files.rb
index e0c46f92b84..e63e635a4d3 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,7 +2,6 @@ module API
   # Projects API
   class Files < Grape::API
     before { authenticate! }
-    before { authorize! :push_code, user_project }
 
     resource :projects do
       # Get file from repository
@@ -28,6 +27,8 @@ module API
       # }
       #
       get ":id/repository/files" do
+        authorize! :download_code, user_project
+
         required_attributes! [:file_path, :ref]
         attrs = attributes_for_keys [:file_path, :ref]
         ref = attrs.delete(:ref)
@@ -68,6 +69,8 @@ module API
       #   POST /projects/:id/repository/files
       #
       post ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :content, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
         branch_name = attrs.delete(:branch_name)
@@ -98,6 +101,8 @@ module API
       #   PUT /projects/:id/repository/files
       #
       put ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :content, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
         branch_name = attrs.delete(:branch_name)
@@ -128,6 +133,8 @@ module API
       #   DELETE /projects/:id/repository/files
       #
       delete ":id/repository/files" do
+        authorize! :push_code, user_project
+
         required_attributes! [:file_path, :branch_name, :commit_message]
         attrs = attributes_for_keys [:file_path, :branch_name, :commit_message]
         branch_name = attrs.delete(:branch_name)