authorized_projects and authorized_groups methods for user

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2012-11-29 17:17:01 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2012-11-29 17:17:01 +0200
commit: 9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e (patch)
tree: 9884161dccf18b1b81102635166c77853b48b723
parent: 83f2a387d68ca055e83ed2cfb61cc329e0bda2d1 (diff)
download: gitlab-ce-9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e.tar.gz
4 files changed, 26 insertions, 16 deletions
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index e01b586a394..3d9b09405d3 100644
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -5,8 +5,10 @@ class DashboardController < ApplicationController
   before_filter :event_filter, only: :index
 
   def index
-    @groups = current_user.accessed_groups
+    @groups = current_user.authorized_groups
+
     @projects = @projects.page(params[:page]).per(30)
+
     @events = Event.in_projects(current_user.project_ids)
     @events = @event_filter.apply_filter(@events)
     @events = @events.limit(20).offset(params[:offset] || 0)
@@ -43,7 +45,7 @@ class DashboardController < ApplicationController
   protected
 
   def projects
-    @projects = current_user.projects_sorted_by_activity
+    @projects = current_user.authorized_projects.sorted_by_activity
   end
 
   def event_filter
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index cfa7e89f7f2..880092e48e1 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -5,6 +5,9 @@ class GroupsController < ApplicationController
   before_filter :group
   before_filter :projects
 
+  # Authorize
+  before_filter :authorize_read_group!
+
   def show
     @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0)
     @last_push = current_user.recent_push
@@ -54,16 +57,17 @@ class GroupsController < ApplicationController
   end
 
   def projects
-    @projects ||= begin
-                    if can?(current_user, :manage_group, @group)
-                      @group.projects
-                    else
-                      current_user.projects.where(namespace_id: @group.id)
-                    end.sorted_by_activity.all
-                  end
+    @projects ||= group.projects.authorized_for(current_user).sorted_by_activity
   end
 
   def project_ids
     projects.map(&:id)
   end
+
+  # Dont allow unauthorized access to group
+  def authorize_read_group!
+    unless projects.present? or can?(current_user, :manage_group, @group)
+      return render_404
+    end
+  end
 end
diff --git a/app/models/project.rb b/app/models/project.rb
index 68d09cae345..1d03d065c28 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -76,6 +76,11 @@ class Project < ActiveRecord::Base
   scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
 
   class << self
+    def authorized_for user
+      projects = includes(:users_projects, :namespace)
+      projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
+    end
+
     def active
       joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC")
     end
@@ -285,9 +290,4 @@ class Project < ActiveRecord::Base
       merge_requests
     end
   end
-
-  def self.authorized_for user
-    projects = includes(:users_projects, :namespace)
-    projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
-  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 4ec4c277141..3f2d7c92ea8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -124,11 +124,15 @@ class User < ActiveRecord::Base
     end
   end
 
-  def accessed_groups
-    @accessed_groups ||= begin
+  def authorized_groups
+    @authorized_groups ||= begin
                            groups = Group.where(id: self.projects.pluck(:namespace_id)).all
                            groups = groups + self.groups
                            groups.uniq
                          end
   end
+
+  def authorized_projects
+    Project.authorized_for(self)
+  end
 end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2012-11-29 17:17:01 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2012-11-29 17:17:01 +0200
commit	9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e (patch)
tree	9884161dccf18b1b81102635166c77853b48b723
parent	83f2a387d68ca055e83ed2cfb61cc329e0bda2d1 (diff)
download	gitlab-ce-9df6f7bfad0b18ddaa9fdda2506a8c8958224a7e.tar.gz