Fix mass-assignment. Dont allow users w/o access to create team
This commit is contained in:
parent
70e05801b1
commit
3ddd9f753c
3 changed files with 9 additions and 8 deletions
|
@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base
|
|||
return access_denied! unless can?(current_user, :download_code, project)
|
||||
end
|
||||
|
||||
def authorize_create_team!
|
||||
return access_denied! unless can?(current_user, :create_team, nil)
|
||||
end
|
||||
|
||||
def authorize_manage_user_team!
|
||||
return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)
|
||||
end
|
||||
|
|
|
@ -1,13 +1,10 @@
|
|||
class TeamsController < ApplicationController
|
||||
# Authorize
|
||||
before_filter :authorize_manage_user_team!
|
||||
before_filter :authorize_admin_user_team!
|
||||
before_filter :authorize_create_team!, only: [:new, :create]
|
||||
before_filter :authorize_manage_user_team!, only: [:edit, :update]
|
||||
before_filter :authorize_admin_user_team!, only: [:destroy]
|
||||
|
||||
# Skip access control on public section
|
||||
skip_before_filter :authorize_manage_user_team!, only: [:index, :show, :new, :destroy, :create, :search, :issues, :merge_requests]
|
||||
skip_before_filter :authorize_admin_user_team!, only: [:index, :show, :new, :create, :search, :issues, :merge_requests]
|
||||
|
||||
layout 'user_team', only: [:show, :edit, :update, :destroy, :issues, :merge_requests, :search]
|
||||
layout 'user_team', except: [:new, :create]
|
||||
|
||||
def index
|
||||
@teams = current_user.user_teams.order('name ASC')
|
||||
|
|
|
@ -40,7 +40,7 @@ class User < ActiveRecord::Base
|
|||
attr_accessible :email, :password, :password_confirmation, :remember_me, :bio, :name, :username,
|
||||
:skype, :linkedin, :twitter, :dark_scheme, :theme_id, :force_random_password,
|
||||
:extern_uid, :provider, as: [:default, :admin]
|
||||
attr_accessible :projects_limit, as: :admin
|
||||
attr_accessible :projects_limit, :can_create_team, :can_create_group, as: :admin
|
||||
|
||||
attr_accessor :force_random_password
|
||||
|
||||
|
|
Loading…
Reference in a new issue