updated controllers with permissions check

8c508037 · James Lopez · 5355589c · 5355589c · 8c508037 · 8c508037
Commit 8c508037 authored May 13, 2016 by James Lopez
3 changed files
--- a/app/controllers/import/gitlab_project_controller.rb
+++ b/app/controllers/import/gitlab_project_controller.rb
-class Import::GitlabProjectController < Import::BaseController
-  before_action :verify_gitlab_project_import_enabled
-  before_action :gitlab_project_auth, except: :callback
-
-  rescue_from OAuth::Error, with: :gitlab_project_unauthorized
-
-  #TODO permissions stuff
-
-  def callback
-
-    redirect_to status_import_gitlab_project_url
-  end
-
-  def status
-    @repos = client.projects
-    @incompatible_repos = client.incompatible_projects
-
-    @already_added_projects = current_user.created_projects.where(import_type: "gitlab_project")
-    already_added_projects_names = @already_added_projects.pluck(:import_source)
-
-    @repos.to_a.reject!{ |repo| already_added_projects_names.include? "#{repo["owner"]}/#{repo["slug"]}" }
-  end
-
-  def jobs
-    jobs = current_user.created_projects.where(import_type: "gitlab_project").to_json(only: [:id, :import_status])
-    render json: jobs
-  end
-
-  def create
-    @file = params[:file]
-
-    repo_owner = current_user.username
-    @target_namespace = params[:new_namespace].presence || repo_owner
-
-    # namespace = get_or_create_namespace || (render and return)
-
-    @project = Gitlab::ImportExport::ImportService.execute(archive_file: file, owner: repo_owner)
-  end
-
-  private
-
-  def verify_gitlab_project_import_enabled
-    render_404 unless gitlab_project_import_enabled?
-  end
-end
--- a/app/controllers/import/gitlab_projects_controller.rb
+++ b/app/controllers/import/gitlab_projects_controller.rb
 class Import::GitlabProjectsController < Import::BaseController
  before_action :verify_gitlab_project_import_enabled
-  #before_action :gitlab_project_auth, except: :callback
+  before_action :verify_project_and_namespace_access

  rescue_from OAuth::Error, with: :gitlab_project_unauthorized

-  #TODO permissions stuff
-
  def new
    @namespace_id = project_params[:namespace_id]
    @path = project_params[:path]
  end

-  def status
-
-  end
+  def create
+    @project = Project.create_from_import_job(current_user_id: current_user.id,
+                                              tmp_file: File.expand_path(params[:file].path),
+                                              namespace_id: project_params[:namespace_id],
+                                              project_path: project_params[:path])

-  def jobs
-    jobs = current_user.created_projects.where(import_type: "gitlab_project").to_json(only: [:id, :import_status])
-    render json: jobs
+    redirect_to dashboard_projects_path
  end

-  def create
-    # TODO verify access to namespace and path
-    file = params[:file]
-    namespace_id = project_params[:namespace_id]
-    path = project_params[:path]
-
-    repo_owner = current_user.username
-    @target_namespace = params[:new_namespace].presence || repo_owner
+  private

-    @project = Project.create_from_import_job(current_user_id: current_user.id,
-                                              tmp_file: File.expand_path(file.path),
-                                              namespace_id: namespace_id,
-                                              project_path: path)
+  def verify_project_and_namespace_access
+    unless namespace_access? && project_access?
+      render_403
+    end
+  end

-    redirect_to status_import_gitlab_project_path
+  def project_access?
+    can?(current_user, :admin_project, @project)
  end

-  private
+  def namespace_access?
+    current_user.can?(:create_projects, Namespace.find(project_params[:namespace_id]))
+  end

  def verify_gitlab_project_import_enabled
    render_404 unless gitlab_project_import_enabled?

--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -7,7 +7,7 @@ class ProjectsController < Projects::ApplicationController
  before_action :assign_ref_vars, :tree, only: [:show], if: :repo_exists?

  # Authorize
-  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping]
+  before_action :authorize_admin_project!, only: [:edit, :update, :housekeeping, :download_export, :export]
  before_action :event_filter, only: [:show, :activity]

  layout :determine_layout