diff options
| author | Stan Hu <stanhu@gmail.com> | 2015-07-20 19:42:07 +0300 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2015-07-20 19:42:07 +0300 |
| commit | 996ad35bedca4b8975a6f65fcbf5dbdb75cae278 (patch) | |
| tree | 47c5bb13598455255a87ef782e23641368729e97 /app | |
| parent | 3522018db3b6bb9f799e9326e109c6897c4a285e (diff) | |
| parent | 4a0e4c857f799d2e3cc5d5dc37de6da784661965 (diff) | |
Merge branch 'fix-disabled-feature-access' into 'master'
Fix (i.e. prevent) access to disabled features for unauthenticated users
Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.
See merge request !1006
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/ability.rb | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index 7dab50d47d4..9258d981ac9 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -31,7 +31,7 @@ class Ability end if project && project.public? - [ + rules = [ :read_project, :read_wiki, :read_issue, @@ -43,6 +43,8 @@ class Ability :read_note, :download_code ] + + rules - project_disabled_features_rules(project) else group = if subject.kind_of?(Group) subject @@ -103,28 +105,7 @@ class Ability rules -= project_archived_rules end - unless project.issues_enabled - rules -= named_abilities('issue') - end - - unless project.merge_requests_enabled - rules -= named_abilities('merge_request') - end - - unless project.issues_enabled or project.merge_requests_enabled - rules -= named_abilities('label') - rules -= named_abilities('milestone') - end - - unless project.snippets_enabled - rules -= named_abilities('project_snippet') - end - - unless project.wiki_enabled - rules -= named_abilities('wiki') - end - - rules + rules - project_disabled_features_rules(project) end end @@ -206,6 +187,33 @@ class Ability ] end + def project_disabled_features_rules(project) + rules = [] + + unless project.issues_enabled + rules += named_abilities('issue') + end + + unless project.merge_requests_enabled + rules += named_abilities('merge_request') + end + + unless project.issues_enabled or project.merge_requests_enabled + rules += named_abilities('label') + rules += named_abilities('milestone') + end + + unless project.snippets_enabled + rules += named_abilities('project_snippet') + end + + unless project.wiki_enabled + rules += named_abilities('wiki') + end + + rules + end + def group_abilities(user, group) rules = [] |