Commit 237ddd60 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Improve authorization for new/edit blob pages

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 4645f464
...@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController ...@@ -6,6 +6,7 @@ class Projects::BlobController < Projects::ApplicationController
before_filter :authorize_read_project! before_filter :authorize_read_project!
before_filter :authorize_code_access! before_filter :authorize_code_access!
before_filter :require_non_empty_project before_filter :require_non_empty_project
before_filter :authorize_push!, only: [:destroy]
before_filter :blob before_filter :blob
......
class Projects::EditTreeController < Projects::BaseTreeController class Projects::EditTreeController < Projects::BaseTreeController
before_filter :require_branch_head before_filter :require_branch_head
before_filter :blob before_filter :blob
before_filter :authorize_push!
def show def show
@last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha @last_commit = Gitlab::Git::Commit.last_for_path(@repository, @ref, @path).sha
......
class Projects::NewTreeController < Projects::BaseTreeController class Projects::NewTreeController < Projects::BaseTreeController
before_filter :require_branch_head before_filter :require_branch_head
before_filter :authorize_push!
def show def show
end end
......
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
= link_to truncate(title, length: 40), project_tree_path(@project, path) = link_to truncate(title, length: 40), project_tree_path(@project, path)
- else - else
= link_to title, '#' = link_to title, '#'
- if @repository.branch_names.include?(@ref) - if current_user && @repository.branch_names.include?(@ref) && current_user.can?(:push_code, @project)
%li %li
= link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do = link_to project_new_tree_path(@project, @id), title: 'New file', id: 'new-file-link' do
%small %small
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment