summaryrefslogtreecommitdiff
path: root/app/controllers
diff options
context:
space:
mode:
authorKamil Trzciński <ayufan@ayufan.eu>2017-05-06 17:17:02 +0000
committerKamil Trzciński <ayufan@ayufan.eu>2017-05-06 17:17:02 +0000
commit6ad3814e1b31bfacfae7a2aabb4e4607b12ca66f (patch)
treeb6024ca475dea081d9f38e4b14a2709d17af3a50 /app/controllers
parent2e6201b13197d03eafecd18d967ba7d55f664e19 (diff)
parentfc121cca5ba87abd24afbc8da2f76e14e386e4c8 (diff)
downloadgitlab-ce-6ad3814e1b31bfacfae7a2aabb4e4607b12ca66f.tar.gz
Merge branch 'feature/gb/manual-actions-protected-branches-permissions' into 'master'
Check access to a branch when user triggers manual action Closes #20261 See merge request !10494
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/projects/application_controller.rb8
-rw-r--r--app/controllers/projects/builds_controller.rb22
2 files changed, 23 insertions, 7 deletions
diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index b4b0dfc3eb8..12e4a6999ae 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -40,13 +40,15 @@ class Projects::ApplicationController < ApplicationController
(current_user && current_user.already_forked?(project))
end
- def authorize_project!(action)
- return access_denied! unless can?(current_user, action, project)
+ def authorize_action!(action)
+ unless can?(current_user, action, project)
+ return access_denied!
+ end
end
def method_missing(method_sym, *arguments, &block)
if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
- authorize_project!($1.to_sym)
+ authorize_action!($1.to_sym)
else
super
end
diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb
index e24fc45d166..0fd35bcb790 100644
--- a/app/controllers/projects/builds_controller.rb
+++ b/app/controllers/projects/builds_controller.rb
@@ -1,7 +1,11 @@
class Projects::BuildsController < Projects::ApplicationController
before_action :build, except: [:index, :cancel_all]
- before_action :authorize_read_build!, only: [:index, :show, :status, :raw, :trace]
- before_action :authorize_update_build!, except: [:index, :show, :status, :raw, :trace]
+
+ before_action :authorize_read_build!,
+ only: [:index, :show, :status, :raw, :trace]
+ before_action :authorize_update_build!,
+ except: [:index, :show, :status, :raw, :trace, :cancel_all]
+
layout 'project'
def index
@@ -28,7 +32,12 @@ class Projects::BuildsController < Projects::ApplicationController
end
def cancel_all
- @project.builds.running_or_pending.each(&:cancel)
+ return access_denied! unless can?(current_user, :update_build, project)
+
+ @project.builds.running_or_pending.each do |build|
+ build.cancel if can?(current_user, :update_build, build)
+ end
+
redirect_to namespace_project_builds_path(project.namespace, project)
end
@@ -107,8 +116,13 @@ class Projects::BuildsController < Projects::ApplicationController
private
+ def authorize_update_build!
+ return access_denied! unless can?(current_user, :update_build, build)
+ end
+
def build
- @build ||= project.builds.find_by!(id: params[:id]).present(current_user: current_user)
+ @build ||= project.builds.find(params[:id])
+ .present(current_user: current_user)
end
def build_path(build)
View Lorry Controller Status