Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorDmitriy Zaporozhets <dzaporozhets@sphereconsultinginc.com>2011-10-17 14:39:03 +0400
committerDmitriy Zaporozhets <dzaporozhets@sphereconsultinginc.com>2011-10-17 14:39:03 +0400
commit5ec838013e9885e0b8c8afaaf4e71780d8325b3c (patch)
tree2753b16c8ea021b95489ded0a92c54158cef8545 /app
parentcafacc72f242259b19e5066bc4beda6b80a67bfd (diff)
security improved
Diffstat (limited to 'app')
-rw-r--r--app/controllers/application_controller.rb8
-rw-r--r--app/controllers/issues_controller.rb14
-rw-r--r--app/controllers/notes_controller.rb4
-rw-r--r--app/controllers/snippets_controller.rb7
-rw-r--r--app/controllers/team_members_controller.rb4
-rw-r--r--app/models/ability.rb20
6 files changed, 43 insertions, 14 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2866d1a7358..047c6cb7d95 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -27,11 +27,15 @@ class ApplicationController < ActionController::Base
end
def authenticate_admin!
- return redirect_to(new_user_session_path) unless current_user.is_admin?
+ return render_404 unless current_user.is_admin?
end
def authorize_project!(action)
- return redirect_to(new_user_session_path) unless can?(current_user, action, project)
+ return render_404 unless can?(current_user, action, project)
+ end
+
+ def access_denied!
+ render_404
end
def method_missing(method_sym, *arguments, &block)
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 6da5dea8bf7..cf8e1ebe661 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -1,12 +1,12 @@
class IssuesController < ApplicationController
before_filter :authenticate_user!
before_filter :project
+ before_filter :issue, :only => [:edit, :update, :destroy, :show]
# Authorize
before_filter :add_project_abilities
before_filter :authorize_read_issue!
before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
- before_filter :authorize_admin_issue!, :only => [:destroy]
respond_to :js
@@ -30,12 +30,10 @@ class IssuesController < ApplicationController
end
def edit
- @issue = @project.issues.find(params[:id])
respond_with(@issue)
end
def show
- @issue = @project.issues.find(params[:id])
@notes = @issue.notes
@note = @project.notes.new(:noteable => @issue)
end
@@ -51,7 +49,6 @@ class IssuesController < ApplicationController
end
def update
- @issue = @project.issues.find(params[:id])
@issue.update_attributes(params[:issue])
respond_to do |format|
@@ -62,7 +59,8 @@ class IssuesController < ApplicationController
def destroy
- @issue = @project.issues.find(params[:id])
+ return access_denied! unless can?(current_user, :admin_issue, @issue)
+
@issue.destroy
respond_to do |format|
@@ -79,4 +77,10 @@ class IssuesController < ApplicationController
render :nothing => true
end
+
+ protected
+
+ def issue
+ @issue ||= @project.issues.find(params[:id])
+ end
end
diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index 1703c00d5e5..46425664d6e 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -4,7 +4,6 @@ class NotesController < ApplicationController
# Authorize
before_filter :add_project_abilities
before_filter :authorize_write_note!, :only => [:create]
- before_filter :authorize_admin_note!, :only => [:destroy]
respond_to :js
@@ -25,6 +24,9 @@ class NotesController < ApplicationController
def destroy
@note = @project.notes.find(params[:id])
+
+ return access_denied! unless can?(current_user, :admin_note, @note)
+
@note.destroy
respond_to do |format|
diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb
index 5a6ffa4f913..b31fe6836a2 100644
--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -52,12 +52,11 @@ class SnippetsController < ApplicationController
def destroy
@snippet = @project.snippets.find(params[:id])
- authorize_admin_snippet! unless @snippet.author == current_user
+
+ return access_denied! unless can?(current_user, :admin_snippet, @snippet)
@snippet.destroy
- respond_to do |format|
- format.js { render :nothing => true }
- end
+ redirect_to project_snippets_path(@project)
end
end
diff --git a/app/controllers/team_members_controller.rb b/app/controllers/team_members_controller.rb
index e00cc36c0eb..5fb2710dad7 100644
--- a/app/controllers/team_members_controller.rb
+++ b/app/controllers/team_members_controller.rb
@@ -3,8 +3,8 @@ class TeamMembersController < ApplicationController
# Authorize
before_filter :add_project_abilities
- before_filter :authorize_read_team_member!
- before_filter :authorize_admin_team_member!, :only => [:new, :create, :destroy, :update]
+ before_filter :authorize_read_project!
+ before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
def show
@team_member = project.users_projects.find(params[:id])
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 9a5970b5838..b822f6300ca 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -2,6 +2,9 @@ class Ability
def self.allowed(object, subject)
case subject.class.name
when "Project" then project_abilities(object, subject)
+ when "Issue" then issue_abilities(object, subject)
+ when "Note" then note_abilities(object, subject)
+ when "Snippet" then snippet_abilities(object, subject)
else []
end
end
@@ -34,4 +37,21 @@ class Ability
rules.flatten
end
+
+ class << self
+ [:issue, :note, :snippet].each do |name|
+ define_method "#{name}_abilities" do |user, subject|
+ if subject.author == user
+ [
+ :"read_#{name}",
+ :"write_#{name}",
+ :"admin_#{name}"
+ ]
+ else
+ subject.respond_to?(:project) ?
+ project_abilities(user, subject.project) : []
+ end
+ end
+ end
+ end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 21:31:35 +0300