diff options
| author | Felipe Artur <felipefac@gmail.com> | 2016-03-31 11:36:40 -0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2016-04-18 11:12:27 -0300 |
| commit | e8a77c0aee3eaf99793b3678a0eb97194244b339 (patch) | |
| tree | 231de9a63132ba58fdecf8c27e2b062f3811a4b7 /app | |
| parent | 668d6ffa437aa5c920e987beb5de4e8dacbfd00c (diff) | |
| download | gitlab-ce-e8a77c0aee3eaf99793b3678a0eb97194244b339.tar.gz | |
Fix code
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/groups/group_members_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/users_controller.rb | 6 | ||||
| -rw-r--r-- | app/models/ability.rb | 4 |
3 files changed, 5 insertions, 9 deletions
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb index 50398d5d3b4..9fc72635806 100644 --- a/app/controllers/groups/group_members_controller.rb +++ b/app/controllers/groups/group_members_controller.rb @@ -1,7 +1,7 @@ class Groups::GroupMembersController < Groups::ApplicationController # Authorize before_action :authorize_admin_group_member!, except: [:index, :leave] - before_action :authorize_read_group_members, only: [:index] + before_action :authorize_read_group_members!, only: [:index] def index @project = @group.projects.find(params[:project_id]) if params[:project_id] @@ -83,7 +83,7 @@ class Groups::GroupMembersController < Groups::ApplicationController private - def authorize_read_group_members + def authorize_read_group_members! render_404 unless can?(current_user, :read_group_members, @group) end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 642f5eea1de..233dca54b99 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,8 +1,7 @@ class UsersController < ApplicationController skip_before_action :authenticate_user! - #TODO felipe_artur: Remove this "set_user" before action. It is not good to use before filters for loading database records. before_action :set_user, except: [:show] - before_action :authorize_read_user, only: [:show] + before_action :authorize_read_user!, only: [:show] def show respond_to do |format| @@ -76,7 +75,8 @@ class UsersController < ApplicationController end private - def authorize_read_user + + def authorize_read_user! set_user render_404 unless can?(current_user, :read_user, @user) end diff --git a/app/models/ability.rb b/app/models/ability.rb index 2914ca16b2d..874ec360944 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -1,5 +1,4 @@ class Ability - @public_restricted = nil class << self def allowed(user, subject) @@ -72,7 +71,6 @@ class Ability # Allow to read issues by anonymous user if issue is not confidential rules << :read_issue unless subject.is_a?(Issue) && subject.confidential? - # Allow anonymous users to read project members if public is not a restricted level rules << :read_project_member unless restricted_public_level? rules - project_disabled_features_rules(project) @@ -100,7 +98,6 @@ class Ability if group rules << [:read_group] if group.public? - # Allow anonymous users to read project members if public is not a restricted level rules << [:read_group_members] unless restricted_public_level? end @@ -493,7 +490,6 @@ class Ability def restricted_public_level? @public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) - @public_restricted end def named_abilities(name) |