Improve authorization for new/edit blob pages

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

app/controllers/projects/blob_controller.rb

@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController
   before_filter :authorize_read_project!
   before_filter :authorize_code_access!
   before_filter :require_non_empty_project
+  before_filter :authorize_push!, only: [:destroy]
 
   before_filter :blob
 

app/controllers/projects/edit_tree_controller.rb

 class Projects::EditTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
   before_filter :blob
+  before_filter :authorize_push!
 
   def show
     @last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha

app/controllers/projects/new_tree_controller.rb

 class Projects::NewTreeController < Projects::BaseTreeController
   before_filter :require_branch_head
+  before_filter :authorize_push!
 
   def show
   end

app/views/projects/tree/_tree.html.haml

@@ -9,7 +9,7 @@
         = link_to truncate(title, length: 40), project_tree_path(@project, path)
       - else
         = link_to title, '#'
-  - if @repository.branch_names.include?(@ref)
+  - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
     %li
       = link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
         %small