diff options
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/commits_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/issues_controller.rb | 5 | ||||
| -rw-r--r-- | app/controllers/merge_requests_controller.rb | 5 | ||||
| -rw-r--r-- | app/controllers/refs_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/repositories_controller.rb | 1 | ||||
| -rw-r--r-- | app/controllers/snippets_controller.rb | 13 | ||||
| -rw-r--r-- | app/controllers/wikis_controller.rb | 21 |
8 files changed, 23 insertions, 28 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5a5b4aeb8d4..ee2240b2f0f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base return render_404 unless can?(current_user, action, project) end + def authorize_code_access! + return render_404 unless can?(current_user, :download_code, project) + end + def access_denied! render_404 end diff --git a/app/controllers/commits_controller.rb b/app/controllers/commits_controller.rb index c7fcae3b79a..0b976fa8a2c 100644 --- a/app/controllers/commits_controller.rb +++ b/app/controllers/commits_controller.rb @@ -7,6 +7,7 @@ class CommitsController < ApplicationController # Authorize before_filter :add_project_abilities before_filter :authorize_read_project! + before_filter :authorize_code_access! before_filter :require_non_empty_project before_filter :load_refs, :only => :index # load @branch, @tag & @ref before_filter :render_full_content diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index ed1a5864f23..36c9c8f6c51 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -126,12 +126,11 @@ class IssuesController < ApplicationController end def authorize_modify_issue! - can?(current_user, :modify_issue, @issue) || - @issue.assignee == current_user + return render_404 unless can?(current_user, :modify_issue, @issue) end def authorize_admin_issue! - can?(current_user, :admin_issue, @issue) + return render_404 unless can?(current_user, :admin_issue, @issue) end def module_enabled diff --git a/app/controllers/merge_requests_controller.rb b/app/controllers/merge_requests_controller.rb index 02c8246e37e..fa2e73291e0 100644 --- a/app/controllers/merge_requests_controller.rb +++ b/app/controllers/merge_requests_controller.rb @@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController end def authorize_modify_merge_request! - can?(current_user, :modify_merge_request, @merge_request) || - @merge_request.assignee == current_user + return render_404 unless can?(current_user, :modify_merge_request, @merge_request) end def authorize_admin_merge_request! - can?(current_user, :admin_merge_request, @merge_request) + return render_404 unless can?(current_user, :admin_merge_request, @merge_request) end def module_enabled diff --git a/app/controllers/refs_controller.rb b/app/controllers/refs_controller.rb index 16cde44fd89..b8ab1bce219 100644 --- a/app/controllers/refs_controller.rb +++ b/app/controllers/refs_controller.rb @@ -4,6 +4,7 @@ class RefsController < ApplicationController # Authorize before_filter :add_project_abilities before_filter :authorize_read_project! + before_filter :authorize_code_access! before_filter :require_non_empty_project before_filter :ref diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 7bdcdf885d9..036eb3713bf 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController # Authorize before_filter :add_project_abilities before_filter :authorize_read_project! + before_filter :authorize_code_access! before_filter :require_non_empty_project before_filter :render_full_content diff --git a/app/controllers/snippets_controller.rb b/app/controllers/snippets_controller.rb index efab4c4467d..ec1adeaa66f 100644 --- a/app/controllers/snippets_controller.rb +++ b/app/controllers/snippets_controller.rb @@ -1,6 +1,7 @@ class SnippetsController < ApplicationController before_filter :authenticate_user! before_filter :project + before_filter :snippet, :only => [:show, :edit, :destroy, :update] layout "project" # Authorize @@ -41,11 +42,9 @@ class SnippetsController < ApplicationController end def edit - @snippet = @project.snippets.find(params[:id]) end def update - @snippet = @project.snippets.find(params[:id]) @snippet.update_attributes(params[:snippet]) if @snippet.valid? @@ -56,15 +55,12 @@ class SnippetsController < ApplicationController end def show - @snippet = @project.snippets.find(params[:id]) @notes = @snippet.notes @note = @project.notes.new(:noteable => @snippet) render_full_content end def destroy - @snippet = @project.snippets.find(params[:id]) - return access_denied! unless can?(current_user, :admin_snippet, @snippet) @snippet.destroy @@ -73,12 +69,15 @@ class SnippetsController < ApplicationController end protected + def snippet + @snippet ||= @project.snippets.find(params[:id]) + end def authorize_modify_snippet! - can?(current_user, :modify_snippet, @snippet) + return render_404 unless can?(current_user, :modify_snippet, @snippet) end def authorize_admin_snippet! - can?(current_user, :admin_snippet, @snippet) + return render_404 unless can?(current_user, :admin_snippet, @snippet) end end diff --git a/app/controllers/wikis_controller.rb b/app/controllers/wikis_controller.rb index 5e8365cffa5..9bcd20c3187 100644 --- a/app/controllers/wikis_controller.rb +++ b/app/controllers/wikis_controller.rb @@ -2,7 +2,7 @@ class WikisController < ApplicationController before_filter :project before_filter :add_project_abilities before_filter :authorize_read_wiki! - before_filter :authorize_write_wiki!, :except => [:show, :destroy] + before_filter :authorize_write_wiki!, :only => [:edit, :create, :history] before_filter :authorize_admin_wiki!, :only => :destroy layout "project" @@ -12,6 +12,11 @@ class WikisController < ApplicationController else @wiki = @project.wikis.where(:slug => params[:id]).order("created_at").last end + + unless @wiki + return render_404 unless can?(current_user, :write_wiki, @project) + end + respond_to do |format| if @wiki format.html @@ -51,18 +56,4 @@ class WikisController < ApplicationController format.html { redirect_to project_wiki_path(@project, :index), notice: "Page was successfully deleted" } end end - - protected - - def authorize_read_wiki! - can?(current_user, :read_wiki, @project) - end - - def authorize_write_wiki! - can?(current_user, :write_wiki, @project) - end - - def authorize_admin_wiki! - can?(current_user, :admin_wiki, @project) - end end |