Abilities extended. Resources security improved

1 files changed, 6 insertions, 15 deletions

diff --git a/app/controllers/wikis_controller.rb b/app/controllers/wikis_controller.rb
index 5e8365cffa5..9bcd20c3187 100644
--- a/app/controllers/wikis_controller.rb
+++ b/app/controllers/wikis_controller.rb
@@ -2,7 +2,7 @@ class WikisController < ApplicationController
   before_filter :project
   before_filter :add_project_abilities
   before_filter :authorize_read_wiki!
-  before_filter :authorize_write_wiki!, :except => [:show, :destroy]
+  before_filter :authorize_write_wiki!, :only => [:edit, :create, :history]
   before_filter :authorize_admin_wiki!, :only => :destroy
   layout "project"
   
@@ -12,6 +12,11 @@ class WikisController < ApplicationController
     else
       @wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last
     end
+
+    unless @wiki
+      return render_404 unless can?(current_user, :write_wiki, @project)
+    end
+
     respond_to do |format|
       if @wiki
         format.html
@@ -51,18 +56,4 @@ class WikisController < ApplicationController
       format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" }
     end
   end
-
-  protected 
-
-  def authorize_read_wiki!
-    can?(current_user, :read_wiki, @project)
-  end
-
-  def authorize_write_wiki!
-    can?(current_user, :write_wiki, @project)
-  end
-
-  def authorize_admin_wiki!
-    can?(current_user, :admin_wiki, @project)
-  end
 end