From 44261a5d9fd5b78f8a44fe330e2386525f4c3437 Mon Sep 17 00:00:00 2001
From: Valery Sizov <vsv2711@gmail.com>
Date: Wed, 9 Sep 2015 17:36:01 +0300
Subject: integration with gitlab auth

---
 app/controllers/ci/application_controller.rb   | 61 +++++++-------------------
 app/controllers/ci/builds_controller.rb        |  2 +-
 app/controllers/ci/commits_controller.rb       |  2 +-
 app/controllers/ci/projects_controller.rb      | 11 +++--
 app/controllers/ci/user_sessions_controller.rb | 10 -----
 5 files changed, 25 insertions(+), 61 deletions(-)

(limited to 'app/controllers/ci')

diff --git a/app/controllers/ci/application_controller.rb b/app/controllers/ci/application_controller.rb
index 95390d09737..e5c99066a68 100644
--- a/app/controllers/ci/application_controller.rb
+++ b/app/controllers/ci/application_controller.rb
@@ -1,5 +1,5 @@
 module Ci
-  class ApplicationController < ActionController::Base
+  class ApplicationController < ::ApplicationController
     def self.railtie_helpers_paths
       "app/helpers/ci"
     end
@@ -9,49 +9,19 @@ module Ci
     rescue_from Ci::Network::UnauthorizedError, with: :invalid_token
     before_filter :default_headers
     #before_filter :check_config
+    helper_method :gl_project
 
     protect_from_forgery
 
-    helper_method :current_user
-    before_filter :reset_cache
-
     private
 
-    def current_user
-      @current_user ||= session[:ci_current_user]
-    end
-
-    def sign_in(user)
-      session[:ci_current_user] = user
-    end
-
-    def sign_out
-      reset_session
-    end
-
-    def authenticate_user!
-      unless current_user
-        redirect_to new_ci_user_sessions_path
-        return
-      end
-    end
-
-    def authenticate_admin!
-      unless current_user && current_user.is_admin
-        redirect_to new_ci_user_sessions_path
-        return
-      end
-    end
-
     def authenticate_public_page!
       unless project.public
         unless current_user
-          redirect_to(new_ci_user_sessions_path(state: generate_oauth_state(request.fullpath))) and return
+          redirect_to(new_user_sessions_path) and return
         end
 
-        unless current_user.can_access_project?(project.gitlab_id)
-          page_404 and return
-        end
+        return access_denied! unless can?(current_user, :read_project, gl_project)
       end
     end
 
@@ -62,19 +32,23 @@ module Ci
     end
 
     def authorize_access_project!
-      unless current_user.can_access_project?(@project.gitlab_id)
+      unless can?(current_user, :read_project, gl_project)
         return page_404
       end
     end
 
-    def authorize_project_developer!
-      unless current_user.has_developer_access?(@project.gitlab_id)
+    def authorize_manage_builds!
+      unless can?(current_user, :manage_builds, gl_project)
         return page_404
       end
     end
 
+    def authenticate_admin!
+      return render_404 unless current_user.is_admin?
+    end
+
     def authorize_manage_project!
-      unless current_user.can_manage_project?(@project.gitlab_id)
+      unless can?(current_user, :manage_project, gl_project)
         return page_404
       end
     end
@@ -83,13 +57,6 @@ module Ci
       render file: "#{Rails.root}/public/404.html", status: 404, layout: false
     end
 
-    # Reset user cache every day for security purposes
-    def reset_cache
-      if current_user && current_user.sync_at < (Time.zone.now - 24.hours)
-        current_user.reset_cache
-      end
-    end
-
     def default_headers
       headers['X-Frame-Options'] = 'DENY'
       headers['X-XSS-Protection'] = '1; mode=block'
@@ -129,5 +96,9 @@ module Ci
       reset_session
       redirect_to ci_root_path
     end
+
+    def gl_project
+      ::Project.find(@project.gitlab_id)
+    end
   end
 end
diff --git a/app/controllers/ci/builds_controller.rb b/app/controllers/ci/builds_controller.rb
index eeff3f1e0a0..28fad3671f7 100644
--- a/app/controllers/ci/builds_controller.rb
+++ b/app/controllers/ci/builds_controller.rb
@@ -5,7 +5,7 @@ module Ci
     before_filter :project
     before_filter :authorize_access_project!, except: [:status, :show]
     before_filter :authorize_manage_project!, except: [:status, :show, :retry, :cancel]
-    before_filter :authorize_project_developer!, only: [:retry, :cancel]
+    before_filter :authorize_manage_builds!, only: [:retry, :cancel]
     before_filter :build, except: [:show]
 
     def show
diff --git a/app/controllers/ci/commits_controller.rb b/app/controllers/ci/commits_controller.rb
index 9f74a2fd807..bad9075dde6 100644
--- a/app/controllers/ci/commits_controller.rb
+++ b/app/controllers/ci/commits_controller.rb
@@ -4,7 +4,7 @@ module Ci
     before_filter :authenticate_public_page!, only: :show
     before_filter :project
     before_filter :authorize_access_project!, except: [:status, :show, :cancel]
-    before_filter :authorize_project_developer!, only: [:cancel]
+    before_filter :authorize_manage_builds!, only: [:cancel]
     before_filter :commit, only: :show
 
     def show
diff --git a/app/controllers/ci/projects_controller.rb b/app/controllers/ci/projects_controller.rb
index 6ff7fc9f77a..80a5e602171 100644
--- a/app/controllers/ci/projects_controller.rb
+++ b/app/controllers/ci/projects_controller.rb
@@ -21,12 +21,15 @@ module Ci
       @limit, @offset = (params[:limit] || PROJECTS_BATCH).to_i, (params[:offset] || 0).to_i
       @page = @offset == 0 ? 1 : (@offset / @limit + 1)
 
-      current_user.reset_cache if params[:reset_cache]
+      @gl_projects = current_user.authorized_projects
+      @gl_projects = @gl_projects.where("name LIKE %?%", params[:search]) if params[:search]
+      @gl_projects = @gl_projects.page(@page).per(@limit)
 
-      @gl_projects = current_user.gitlab_projects(params[:search], @page, @limit)
       @projects = Ci::Project.where(gitlab_id: @gl_projects.map(&:id)).ordered_by_last_commit_date
       @total_count = @gl_projects.size
-      @gl_projects.reject! { |gl_project| @projects.map(&:gitlab_id).include?(gl_project.id) }
+      
+      @gl_projects = @gl_projects.where.not(id: @projects.map(&:gitlab_id))
+
       respond_to do |format|
         format.json do
           pager_json("ci/projects/gitlab", @total_count)
@@ -52,7 +55,7 @@ module Ci
     def create
       project_data = OpenStruct.new(JSON.parse(params["project"]))
 
-      unless current_user.can_manage_project?(project_data.id)
+      unless can?(current_user, :manage_project, ::Project.find(project_data.id))
         return redirect_to ci_root_path, alert: 'You have to have at least master role to enable CI for this project'
       end
 
diff --git a/app/controllers/ci/user_sessions_controller.rb b/app/controllers/ci/user_sessions_controller.rb
index 82134c1f7ba..818e1fcdea1 100644
--- a/app/controllers/ci/user_sessions_controller.rb
+++ b/app/controllers/ci/user_sessions_controller.rb
@@ -10,11 +10,6 @@ module Ci
     end
 
     def auth
-      unless is_oauth_state_valid?(params[:state])
-        redirect_to new_ci_user_sessions_path
-        return
-      end
-
       redirect_to client.auth_code.authorize_url({
         redirect_uri: callback_ci_user_sessions_url,
         state: params[:state]
@@ -22,11 +17,6 @@ module Ci
     end
 
     def callback
-      unless is_oauth_state_valid?(params[:state])
-        redirect_to new_ci_user_sessions_path
-        return
-      end
-
       token = client.auth_code.get_token(params[:code], redirect_uri: callback_ci_user_sessions_url).token
       
       @user_session = Ci::UserSession.new
-- 
cgit v1.2.1