diff options
author | Daniel Gerhardt <code@dgerhardt.net> | 2015-07-19 23:21:33 +0200 |
---|---|---|
committer | Daniel Gerhardt <code@dgerhardt.net> | 2015-07-20 09:45:24 +0200 |
commit | 4a0e4c857f799d2e3cc5d5dc37de6da784661965 (patch) | |
tree | 2eae7ce1f3bcbb242a5a8d08a6728b7b1d2b1f5a /app/models | |
parent | e8aaf5680355b2a71ab85439f653a70f4b487e0b (diff) | |
download | gitlab-ce-4a0e4c857f799d2e3cc5d5dc37de6da784661965.tar.gz |
Fix access to disabled features for unauthenticated users
Unauthenticated users had access to disabled features of public
projects. The code has been slightly refactored so that feature checks
are done in a separate method and can also be applied for public access.
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/ability.rb | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index d3631d49ec6..6cffc46cec3 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -31,7 +31,7 @@ class Ability end if project && project.public? - [ + rules = [ :read_project, :read_wiki, :read_issue, @@ -42,6 +42,8 @@ class Ability :read_note, :download_code ] + + rules - project_disabled_features_rules(project) else group = if subject.kind_of?(Group) subject @@ -102,28 +104,7 @@ class Ability rules -= project_archived_rules end - unless project.issues_enabled - rules -= named_abilities('issue') - end - - unless project.merge_requests_enabled - rules -= named_abilities('merge_request') - end - - unless project.issues_enabled or project.merge_requests_enabled - rules -= named_abilities('label') - rules -= named_abilities('milestone') - end - - unless project.snippets_enabled - rules -= named_abilities('project_snippet') - end - - unless project.wiki_enabled - rules -= named_abilities('wiki') - end - - rules + rules - project_disabled_features_rules(project) end end @@ -205,6 +186,33 @@ class Ability ] end + def project_disabled_features_rules(project) + rules = [] + + unless project.issues_enabled + rules += named_abilities('issue') + end + + unless project.merge_requests_enabled + rules += named_abilities('merge_request') + end + + unless project.issues_enabled or project.merge_requests_enabled + rules += named_abilities('label') + rules += named_abilities('milestone') + end + + unless project.snippets_enabled + rules += named_abilities('project_snippet') + end + + unless project.wiki_enabled + rules += named_abilities('wiki') + end + + rules + end + def group_abilities(user, group) rules = [] |