From 44261a5d9fd5b78f8a44fe330e2386525f4c3437 Mon Sep 17 00:00:00 2001 From: Valery Sizov Date: Wed, 9 Sep 2015 17:36:01 +0300 Subject: integration with gitlab auth --- app/controllers/ci/application_controller.rb | 61 +++++++------------------- app/controllers/ci/builds_controller.rb | 2 +- app/controllers/ci/commits_controller.rb | 2 +- app/controllers/ci/projects_controller.rb | 11 +++-- app/controllers/ci/user_sessions_controller.rb | 10 ----- 5 files changed, 25 insertions(+), 61 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/ci/application_controller.rb b/app/controllers/ci/application_controller.rb index 95390d09737..e5c99066a68 100644 --- a/app/controllers/ci/application_controller.rb +++ b/app/controllers/ci/application_controller.rb @@ -1,5 +1,5 @@ module Ci - class ApplicationController < ActionController::Base + class ApplicationController < ::ApplicationController def self.railtie_helpers_paths "app/helpers/ci" end @@ -9,49 +9,19 @@ module Ci rescue_from Ci::Network::UnauthorizedError, with: :invalid_token before_filter :default_headers #before_filter :check_config + helper_method :gl_project protect_from_forgery - helper_method :current_user - before_filter :reset_cache - private - def current_user - @current_user ||= session[:ci_current_user] - end - - def sign_in(user) - session[:ci_current_user] = user - end - - def sign_out - reset_session - end - - def authenticate_user! - unless current_user - redirect_to new_ci_user_sessions_path - return - end - end - - def authenticate_admin! - unless current_user && current_user.is_admin - redirect_to new_ci_user_sessions_path - return - end - end - def authenticate_public_page! unless project.public unless current_user - redirect_to(new_ci_user_sessions_path(state: generate_oauth_state(request.fullpath))) and return + redirect_to(new_user_sessions_path) and return end - unless current_user.can_access_project?(project.gitlab_id) - page_404 and return - end + return access_denied! unless can?(current_user, :read_project, gl_project) end end @@ -62,19 +32,23 @@ module Ci end def authorize_access_project! - unless current_user.can_access_project?(@project.gitlab_id) + unless can?(current_user, :read_project, gl_project) return page_404 end end - def authorize_project_developer! - unless current_user.has_developer_access?(@project.gitlab_id) + def authorize_manage_builds! + unless can?(current_user, :manage_builds, gl_project) return page_404 end end + def authenticate_admin! + return render_404 unless current_user.is_admin? + end + def authorize_manage_project! - unless current_user.can_manage_project?(@project.gitlab_id) + unless can?(current_user, :manage_project, gl_project) return page_404 end end @@ -83,13 +57,6 @@ module Ci render file: "#{Rails.root}/public/404.html", status: 404, layout: false end - # Reset user cache every day for security purposes - def reset_cache - if current_user && current_user.sync_at < (Time.zone.now - 24.hours) - current_user.reset_cache - end - end - def default_headers headers['X-Frame-Options'] = 'DENY' headers['X-XSS-Protection'] = '1; mode=block' @@ -129,5 +96,9 @@ module Ci reset_session redirect_to ci_root_path end + + def gl_project + ::Project.find(@project.gitlab_id) + end end end diff --git a/app/controllers/ci/builds_controller.rb b/app/controllers/ci/builds_controller.rb index eeff3f1e0a0..28fad3671f7 100644 --- a/app/controllers/ci/builds_controller.rb +++ b/app/controllers/ci/builds_controller.rb @@ -5,7 +5,7 @@ module Ci before_filter :project before_filter :authorize_access_project!, except: [:status, :show] before_filter :authorize_manage_project!, except: [:status, :show, :retry, :cancel] - before_filter :authorize_project_developer!, only: [:retry, :cancel] + before_filter :authorize_manage_builds!, only: [:retry, :cancel] before_filter :build, except: [:show] def show diff --git a/app/controllers/ci/commits_controller.rb b/app/controllers/ci/commits_controller.rb index 9f74a2fd807..bad9075dde6 100644 --- a/app/controllers/ci/commits_controller.rb +++ b/app/controllers/ci/commits_controller.rb @@ -4,7 +4,7 @@ module Ci before_filter :authenticate_public_page!, only: :show before_filter :project before_filter :authorize_access_project!, except: [:status, :show, :cancel] - before_filter :authorize_project_developer!, only: [:cancel] + before_filter :authorize_manage_builds!, only: [:cancel] before_filter :commit, only: :show def show diff --git a/app/controllers/ci/projects_controller.rb b/app/controllers/ci/projects_controller.rb index 6ff7fc9f77a..80a5e602171 100644 --- a/app/controllers/ci/projects_controller.rb +++ b/app/controllers/ci/projects_controller.rb @@ -21,12 +21,15 @@ module Ci @limit, @offset = (params[:limit] || PROJECTS_BATCH).to_i, (params[:offset] || 0).to_i @page = @offset == 0 ? 1 : (@offset / @limit + 1) - current_user.reset_cache if params[:reset_cache] + @gl_projects = current_user.authorized_projects + @gl_projects = @gl_projects.where("name LIKE %?%", params[:search]) if params[:search] + @gl_projects = @gl_projects.page(@page).per(@limit) - @gl_projects = current_user.gitlab_projects(params[:search], @page, @limit) @projects = Ci::Project.where(gitlab_id: @gl_projects.map(&:id)).ordered_by_last_commit_date @total_count = @gl_projects.size - @gl_projects.reject! { |gl_project| @projects.map(&:gitlab_id).include?(gl_project.id) } + + @gl_projects = @gl_projects.where.not(id: @projects.map(&:gitlab_id)) + respond_to do |format| format.json do pager_json("ci/projects/gitlab", @total_count) @@ -52,7 +55,7 @@ module Ci def create project_data = OpenStruct.new(JSON.parse(params["project"])) - unless current_user.can_manage_project?(project_data.id) + unless can?(current_user, :manage_project, ::Project.find(project_data.id)) return redirect_to ci_root_path, alert: 'You have to have at least master role to enable CI for this project' end diff --git a/app/controllers/ci/user_sessions_controller.rb b/app/controllers/ci/user_sessions_controller.rb index 82134c1f7ba..818e1fcdea1 100644 --- a/app/controllers/ci/user_sessions_controller.rb +++ b/app/controllers/ci/user_sessions_controller.rb @@ -10,11 +10,6 @@ module Ci end def auth - unless is_oauth_state_valid?(params[:state]) - redirect_to new_ci_user_sessions_path - return - end - redirect_to client.auth_code.authorize_url({ redirect_uri: callback_ci_user_sessions_url, state: params[:state] @@ -22,11 +17,6 @@ module Ci end def callback - unless is_oauth_state_valid?(params[:state]) - redirect_to new_ci_user_sessions_path - return - end - token = client.auth_code.get_token(params[:code], redirect_uri: callback_ci_user_sessions_url).token @user_session = Ci::UserSession.new -- cgit v1.2.1