Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8c40aab1
Commit
8c40aab1
authored
Feb 22, 2012
by
Dmitriy Zaporozhets
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Abilities extended. Resources security improved
parent
af82b677
Changes
16
Show whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
51 additions
and
52 deletions
+51
-52
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+4
-0
app/controllers/commits_controller.rb
app/controllers/commits_controller.rb
+1
-0
app/controllers/issues_controller.rb
app/controllers/issues_controller.rb
+2
-3
app/controllers/merge_requests_controller.rb
app/controllers/merge_requests_controller.rb
+2
-3
app/controllers/refs_controller.rb
app/controllers/refs_controller.rb
+1
-0
app/controllers/repositories_controller.rb
app/controllers/repositories_controller.rb
+1
-0
app/controllers/snippets_controller.rb
app/controllers/snippets_controller.rb
+6
-7
app/controllers/wikis_controller.rb
app/controllers/wikis_controller.rb
+6
-15
app/models/ability.rb
app/models/ability.rb
+11
-5
app/models/project.rb
app/models/project.rb
+1
-1
app/views/help/permissions.html.haml
app/views/help/permissions.html.haml
+4
-1
app/views/issues/_show.html.haml
app/views/issues/_show.html.haml
+1
-2
app/views/layouts/_project_menu.html.haml
app/views/layouts/_project_menu.html.haml
+3
-2
app/views/merge_requests/show.html.haml
app/views/merge_requests/show.html.haml
+1
-2
app/views/widgets/_project_member.html.haml
app/views/widgets/_project_member.html.haml
+4
-8
app/views/wikis/show.html.haml
app/views/wikis/show.html.haml
+3
-3
No files found.
app/controllers/application_controller.rb
View file @
8c40aab1
...
...
@@ -48,6 +48,10 @@ class ApplicationController < ActionController::Base
return
render_404
unless
can?
(
current_user
,
action
,
project
)
end
def
authorize_code_access!
return
render_404
unless
can?
(
current_user
,
:download_code
,
project
)
end
def
access_denied!
render_404
end
...
...
app/controllers/commits_controller.rb
View file @
8c40aab1
...
...
@@ -7,6 +7,7 @@ class CommitsController < ApplicationController
# Authorize
before_filter
:add_project_abilities
before_filter
:authorize_read_project!
before_filter
:authorize_code_access!
before_filter
:require_non_empty_project
before_filter
:load_refs
,
:only
=>
:index
# load @branch, @tag & @ref
before_filter
:render_full_content
...
...
app/controllers/issues_controller.rb
View file @
8c40aab1
...
...
@@ -126,12 +126,11 @@ class IssuesController < ApplicationController
end
def
authorize_modify_issue!
can?
(
current_user
,
:modify_issue
,
@issue
)
||
@issue
.
assignee
==
current_user
return
render_404
unless
can?
(
current_user
,
:modify_issue
,
@issue
)
end
def
authorize_admin_issue!
can?
(
current_user
,
:admin_issue
,
@issue
)
return
render_404
unless
can?
(
current_user
,
:admin_issue
,
@issue
)
end
def
module_enabled
...
...
app/controllers/merge_requests_controller.rb
View file @
8c40aab1
...
...
@@ -112,12 +112,11 @@ class MergeRequestsController < ApplicationController
end
def
authorize_modify_merge_request!
can?
(
current_user
,
:modify_merge_request
,
@merge_request
)
||
@merge_request
.
assignee
==
current_user
return
render_404
unless
can?
(
current_user
,
:modify_merge_request
,
@merge_request
)
end
def
authorize_admin_merge_request!
can?
(
current_user
,
:admin_merge_request
,
@merge_request
)
return
render_404
unless
can?
(
current_user
,
:admin_merge_request
,
@merge_request
)
end
def
module_enabled
...
...
app/controllers/refs_controller.rb
View file @
8c40aab1
...
...
@@ -4,6 +4,7 @@ class RefsController < ApplicationController
# Authorize
before_filter
:add_project_abilities
before_filter
:authorize_read_project!
before_filter
:authorize_code_access!
before_filter
:require_non_empty_project
before_filter
:ref
...
...
app/controllers/repositories_controller.rb
View file @
8c40aab1
...
...
@@ -4,6 +4,7 @@ class RepositoriesController < ApplicationController
# Authorize
before_filter
:add_project_abilities
before_filter
:authorize_read_project!
before_filter
:authorize_code_access!
before_filter
:require_non_empty_project
before_filter
:render_full_content
...
...
app/controllers/snippets_controller.rb
View file @
8c40aab1
class
SnippetsController
<
ApplicationController
before_filter
:authenticate_user!
before_filter
:project
before_filter
:snippet
,
:only
=>
[
:show
,
:edit
,
:destroy
,
:update
]
layout
"project"
# Authorize
...
...
@@ -41,11 +42,9 @@ class SnippetsController < ApplicationController
end
def
edit
@snippet
=
@project
.
snippets
.
find
(
params
[
:id
])
end
def
update
@snippet
=
@project
.
snippets
.
find
(
params
[
:id
])
@snippet
.
update_attributes
(
params
[
:snippet
])
if
@snippet
.
valid?
...
...
@@ -56,15 +55,12 @@ class SnippetsController < ApplicationController
end
def
show
@snippet
=
@project
.
snippets
.
find
(
params
[
:id
])
@notes
=
@snippet
.
notes
@note
=
@project
.
notes
.
new
(
:noteable
=>
@snippet
)
render_full_content
end
def
destroy
@snippet
=
@project
.
snippets
.
find
(
params
[
:id
])
return
access_denied!
unless
can?
(
current_user
,
:admin_snippet
,
@snippet
)
@snippet
.
destroy
...
...
@@ -73,12 +69,15 @@ class SnippetsController < ApplicationController
end
protected
def
snippet
@snippet
||=
@project
.
snippets
.
find
(
params
[
:id
])
end
def
authorize_modify_snippet!
can?
(
current_user
,
:modify_snippet
,
@snippet
)
return
render_404
unless
can?
(
current_user
,
:modify_snippet
,
@snippet
)
end
def
authorize_admin_snippet!
can?
(
current_user
,
:admin_snippet
,
@snippet
)
return
render_404
unless
can?
(
current_user
,
:admin_snippet
,
@snippet
)
end
end
app/controllers/wikis_controller.rb
View file @
8c40aab1
...
...
@@ -2,7 +2,7 @@ class WikisController < ApplicationController
before_filter
:project
before_filter
:add_project_abilities
before_filter
:authorize_read_wiki!
before_filter
:authorize_write_wiki!
,
:
except
=>
[
:show
,
:destro
y
]
before_filter
:authorize_write_wiki!
,
:
only
=>
[
:edit
,
:create
,
:histor
y
]
before_filter
:authorize_admin_wiki!
,
:only
=>
:destroy
layout
"project"
...
...
@@ -12,6 +12,11 @@ class WikisController < ApplicationController
else
@wiki
=
@project
.
wikis
.
where
(
:slug
=>
params
[
:id
]).
order
(
"created_at"
).
last
end
unless
@wiki
return
render_404
unless
can?
(
current_user
,
:write_wiki
,
@project
)
end
respond_to
do
|
format
|
if
@wiki
format
.
html
...
...
@@ -51,18 +56,4 @@ class WikisController < ApplicationController
format
.
html
{
redirect_to
project_wiki_path
(
@project
,
:index
),
notice:
"Page was successfully deleted"
}
end
end
protected
def
authorize_read_wiki!
can?
(
current_user
,
:read_wiki
,
@project
)
end
def
authorize_write_wiki!
can?
(
current_user
,
:write_wiki
,
@project
)
end
def
authorize_admin_wiki!
can?
(
current_user
,
:admin_wiki
,
@project
)
end
end
app/models/ability.rb
View file @
8c40aab1
...
...
@@ -5,7 +5,7 @@ class Ability
when
"Issue"
then
issue_abilities
(
object
,
subject
)
when
"Note"
then
note_abilities
(
object
,
subject
)
when
"Snippet"
then
snippet_abilities
(
object
,
subject
)
when
"
Wiki"
then
wiki
_abilities
(
object
,
subject
)
when
"
MergeRequest"
then
merge_request
_abilities
(
object
,
subject
)
else
[]
end
end
...
...
@@ -23,13 +23,13 @@ class Ability
:read_note
,
:write_project
,
:write_issue
,
:write_snippet
,
:write_merge_request
,
:write_note
]
if
project
.
guest_access_for?
(
user
)
rules
<<
[
:download_code
,
:write_merge_request
,
:write_snippet
]
if
project
.
report_access_for?
(
user
)
rules
<<
[
...
...
@@ -39,7 +39,7 @@ class Ability
rules
<<
[
:modify_issue
,
:modify_snippet
,
:modify_
wiki
,
:modify_
merge_request
,
:admin_project
,
:admin_issue
,
:admin_snippet
,
...
...
@@ -47,7 +47,7 @@ class Ability
:admin_merge_request
,
:admin_note
,
:admin_wiki
]
if
project
.
master_access_for?
(
user
)
]
if
project
.
master_access_for?
(
user
)
||
project
.
owner
==
user
rules
.
flatten
...
...
@@ -63,6 +63,12 @@ class Ability
:"modify_
#{
name
}
"
,
:"admin_
#{
name
}
"
]
elsif
subject
.
respond_to?
(
:assignee
)
&&
subject
.
assignee
==
user
[
:"read_
#{
name
}
"
,
:"write_
#{
name
}
"
,
:"modify_
#{
name
}
"
,
]
else
subject
.
respond_to?
(
:project
)
?
project_abilities
(
user
,
subject
.
project
)
:
[]
...
...
app/models/project.rb
View file @
8c40aab1
...
...
@@ -188,7 +188,7 @@ class Project < ActiveRecord::Base
elsif
access
.
include?
(
:write
)
{
:project_access
=>
UsersProject
::
DEVELOPER
}
else
{
:project_access
=>
UsersProject
::
GUEST
}
{
:project_access
=>
UsersProject
::
REPORTER
}
end
opts
=
{
:user
=>
user
}
opts
.
merge!
(
access
)
...
...
app/views/help/permissions.html.haml
View file @
8c40aab1
...
...
@@ -4,15 +4,17 @@
%h4
Guest
%ul
%li
Create new issue
%li
Create new merge request
%li
Leave comments
%li
Write on project wall
%h4
Reporter
%ul
%li
Pull project code
%li
Download project
%li
Create new issue
%li
Create new merge request
%li
Write on project wall
%li
Create a code snippets
%h4
Developer
...
...
@@ -25,6 +27,7 @@
%li
Create new issue
%li
Create new merge request
%li
Write on project wall
%li
Write a wiki
%h4
Master
%ul
...
...
app/views/issues/_show.html.haml
View file @
8c40aab1
%li
.wll
{
:id
=>
dom_id
(
issue
),
:class
=>
"issue #{issue.critical ? "
critical
" : ""}"
,
:url
=>
project_issue_path
(
issue
.
project
,
issue
)
}
.right
-
if
can?
current_user
,
:
write
_issue
,
issue
-
if
can?
current_user
,
:
modify
_issue
,
issue
-
if
issue
.
closed
=
link_to
'Reopen'
,
project_issue_path
(
issue
.
project
,
issue
,
:issue
=>
{
:closed
=>
false
},
:status_only
=>
true
),
:method
=>
:put
,
:class
=>
"btn small"
,
:remote
=>
true
-
else
=
link_to
'Resolve'
,
project_issue_path
(
issue
.
project
,
issue
,
:issue
=>
{
:closed
=>
true
},
:status_only
=>
true
),
:method
=>
:put
,
:class
=>
"success btn small"
,
:remote
=>
true
-
if
can?
current_user
,
:write_issue
,
issue
=
link_to
'Edit'
,
edit_project_issue_path
(
issue
.
project
,
issue
),
:class
=>
"btn small edit-issue-link"
,
:remote
=>
true
-#- if can?(current_user, :admin_issue, @project) || issue.author == current_user
= link_to 'Remove', [issue.project, issue], :confirm => 'Are you sure?', :method => :delete, :remote => true, :class => "danger btn small delete-issue", :id => "destroy_issue_#{issue.id}"
...
...
app/views/layouts/_project_menu.html.haml
View file @
8c40aab1
...
...
@@ -4,6 +4,7 @@
Project
-
if
@project
.
repo_exists?
-
if
can?
current_user
,
:download_code
,
@project
=
link_to
"Files"
,
tree_project_ref_path
(
@project
,
@project
.
root_ref
),
:class
=>
tree_tab_class
=
link_to
"Commits"
,
project_commits_path
(
@project
),
:class
=>
commit_tab_class
...
...
app/views/merge_requests/show.html.haml
View file @
8c40aab1
...
...
@@ -10,12 +10,11 @@
=
@merge_request
.
created_at
.
stamp
(
"Aug 21, 2011"
)
%span
.right
-
if
can?
(
current_user
,
:
admin_project
,
@project
)
||
@merge_request
.
author
==
current_user
-
if
can?
(
current_user
,
:
modify_merge_request
,
@merge_request
)
-
if
@merge_request
.
closed
=
link_to
'Reopen'
,
project_merge_request_path
(
@project
,
@merge_request
,
:merge_request
=>
{
:closed
=>
false
},
:status_only
=>
true
),
:method
=>
:put
,
:class
=>
"btn"
-
else
=
link_to
'Close'
,
project_merge_request_path
(
@project
,
@merge_request
,
:merge_request
=>
{
:closed
=>
true
},
:status_only
=>
true
),
:method
=>
:put
,
:class
=>
"btn"
,
:title
=>
"Close merge request"
-
if
can?
(
current_user
,
:admin_project
,
@project
)
||
@merge_request
.
author
==
current_user
=
link_to
edit_project_merge_request_path
(
@project
,
@merge_request
),
:class
=>
"btn small"
do
Edit
...
...
app/views/widgets/_project_member.html.haml
View file @
8c40aab1
...
...
@@ -11,23 +11,19 @@
%p
-
if
@project
.
issues_enabled
%span
Assigned
i
ssues:
Assigned
I
ssues:
=
current_user
.
assigned_issues
.
opened
.
count
%br
-
if
@project
.
merge_requests_enabled
%span
Assigned merge request:
=
current_user
.
assigned_merge_requests
.
opened
.
count
%br
%span
Your merge requests:
Assigned Requests:
=
current_user
.
assigned_merge_requests
.
opened
.
count
%br
%br
-
if
@project
.
merge_requests_enabled
-
if
@project
.
merge_requests_enabled
&&
can?
(
current_user
,
:write_merge_request
,
@project
)
=
link_to
new_project_merge_request_path
(
@project
),
:title
=>
"New Merge Request"
,
:class
=>
"btn small padded"
do
Merge Request
-
if
@project
.
issues_enabled
-
if
@project
.
issues_enabled
&&
can?
(
current_user
,
:write_issue
,
@project
)
=
link_to
new_project_issue_path
(
@project
),
:title
=>
"New Issue"
,
:class
=>
"btn small"
do
Issue
...
...
app/views/wikis/show.html.haml
View file @
8c40aab1
...
...
@@ -11,6 +11,6 @@
=
markdown_to_html
@wiki
.
content
%p
.time
Last edited by
#{
@wiki
.
user
.
name
}
, in
#{
time_ago_in_words
@wiki
.
created_at
}
-
if
can?
current_user
,
:
write
_wiki
,
@project
-
if
can?
current_user
,
:
admin
_wiki
,
@project
=
link_to
project_wiki_path
(
@project
,
@wiki
),
:confirm
=>
"Are you sure you want to delete this page?"
,
:method
=>
:delete
do
Delete this page
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment