diff options
author | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-08-09 01:03:41 +0300 |
---|---|---|
committer | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-08-17 18:58:59 +0300 |
commit | a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch) | |
tree | 6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /app | |
parent | 6113767045971abd3a279705f481c8e712660c88 (diff) |
Add authorization to issues board related controllers
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/projects/board_issues_controller.rb | 11 | ||||
-rw-r--r-- | app/controllers/projects/board_lists_controller.rb | 6 | ||||
-rw-r--r-- | app/controllers/projects/boards_controller.rb | 13 | ||||
-rw-r--r-- | app/models/ability.rb | 2 | ||||
-rw-r--r-- | app/services/boards/issues/move_service.rb | 1 |
5 files changed, 32 insertions, 1 deletions
diff --git a/app/controllers/projects/board_issues_controller.rb b/app/controllers/projects/board_issues_controller.rb index fdc3a8795ef..89d0be54855 100644 --- a/app/controllers/projects/board_issues_controller.rb +++ b/app/controllers/projects/board_issues_controller.rb @@ -1,6 +1,9 @@ class Projects::BoardIssuesController < Projects::ApplicationController respond_to :json + before_action :authorize_read_issue!, only: [:index] + before_action :authorize_update_issue!, only: [:update] + rescue_from ActiveRecord::RecordNotFound, with: :record_not_found def index @@ -27,6 +30,14 @@ class Projects::BoardIssuesController < Projects::ApplicationController private + def authorize_read_issue! + return render_403 unless can?(current_user, :read_issue, project) + end + + def authorize_update_issue! + return render_403 unless can?(current_user, :update_issue, project) + end + def filter_params params.merge(id: params[:list_id]) end diff --git a/app/controllers/projects/board_lists_controller.rb b/app/controllers/projects/board_lists_controller.rb index 63daba09e6a..75b80c55b21 100644 --- a/app/controllers/projects/board_lists_controller.rb +++ b/app/controllers/projects/board_lists_controller.rb @@ -1,6 +1,8 @@ class Projects::BoardListsController < Projects::ApplicationController respond_to :json + before_action :authorize_admin_list! + rescue_from ActiveRecord::RecordNotFound, with: :record_not_found def create @@ -45,6 +47,10 @@ class Projects::BoardListsController < Projects::ApplicationController private + def authorize_admin_list! + return render_403 unless can?(current_user, :admin_list, project) + end + def list_params params.require(:list).permit(:label_id) end diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb index 50311acec32..301c718ad57 100644 --- a/app/controllers/projects/boards_controller.rb +++ b/app/controllers/projects/boards_controller.rb @@ -1,4 +1,6 @@ class Projects::BoardsController < Projects::ApplicationController + before_action :authorize_read_board!, only: [:show] + def show board = Boards::CreateService.new(project, current_user).execute @@ -7,4 +9,15 @@ class Projects::BoardsController < Projects::ApplicationController format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :color] } }) } end end + + private + + def authorize_read_board! + unless can?(current_user, :read_board, project) + respond_to do |format| + format.html { return access_denied! } + format.json { return render_403 } + end + end + end end diff --git a/app/models/ability.rb b/app/models/ability.rb index d9113ffd99a..b70451db12f 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -228,6 +228,7 @@ class Ability :read_project, :read_wiki, :read_issue, + :read_board, :read_label, :read_milestone, :read_project_snippet, @@ -249,6 +250,7 @@ class Ability :update_issue, :admin_issue, :admin_label, + :admin_list, :read_commit_status, :read_build, :read_container_image, diff --git a/app/services/boards/issues/move_service.rb b/app/services/boards/issues/move_service.rb index 398a02ebbfd..381bd95c837 100644 --- a/app/services/boards/issues/move_service.rb +++ b/app/services/boards/issues/move_service.rb @@ -4,7 +4,6 @@ module Boards def execute return false unless issue.present? return false unless valid_move? - return false unless user.can?(:update_issue, issue) update_service.execute(issue) reopen_service.execute(issue) if moving_from.done? |