kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Move verification to abilities

Browse source
This commit is contained in:
Felipe Artur 2016-03-29 12:24:42 -03:00
parent b05f0a4858
commit 57519565f1
5 changed files with 47 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/groups/group_members_controller.rb
View file

@ -1,6 +1,7 @@
class Groups::GroupMembersController < Groups::ApplicationController class Groups::GroupMembersController < Groups::ApplicationController
# Authorize # Authorize
before_action :authorize_admin_group_member!, except: [:index, :leave] before_action :authorize_admin_group_member!, except: [:index, :leave]
before_action :authorize_read_group_members, only: [:index]
def index def index
@project = @group.projects.find(params[:project_id]) if params[:project_id] @project = @group.projects.find(params[:project_id]) if params[:project_id]
@ -79,4 +80,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
def member_params def member_params
params.require(:group_member).permit(:access_level, :user_id) params.require(:group_member).permit(:access_level, :user_id)
end end
private
def authorize_read_group_members
render_404 unless can?(current_user, :read_group_members, @group)
end
end end

7
app/controllers/projects/project_members_controller.rb
View file

@ -1,6 +1,7 @@
class Projects::ProjectMembersController < Projects::ApplicationController class Projects::ProjectMembersController < Projects::ApplicationController
# Authorize # Authorize
before_action :authorize_admin_project_member!, except: :leave before_action :authorize_admin_project_member!, except: :leave
before_action :authorize_read_project_members, only: :index
def index def index
@project_members = @project.project_members @project_members = @project.project_members
@ -112,4 +113,10 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def member_params def member_params
params.require(:project_member).permit(:user_id, :access_level) params.require(:project_member).permit(:user_id, :access_level)
end end
private
def authorize_read_project_members
can?(current_user, :read_project_members, @project)
end
end end

8
app/controllers/users_controller.rb
View file

@ -1,7 +1,8 @@
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
before_action :set_user #TO-DO Remove this "set_user" before action. It is not good to use before filters for loading database records.
before_filter :authorize_read_user, only: [:show] before_action :set_user, except: [:show]
before_action :authorize_read_user, only: [:show]
def show def show
respond_to do |format| respond_to do |format|
@ -76,7 +77,8 @@ class UsersController < ApplicationController
private private
def authorize_read_user def authorize_read_user
render_404 unless @user.public? set_user
render_404 unless can?(current_user, :read_user, @user)
end end
def set_user def set_user

33
app/models/ability.rb
View file

@ -18,6 +18,7 @@ class Ability
when Namespace then namespace_abilities(user, subject) when Namespace then namespace_abilities(user, subject)
when GroupMember then group_member_abilities(user, subject) when GroupMember then group_member_abilities(user, subject)
when ProjectMember then project_member_abilities(user, subject) when ProjectMember then project_member_abilities(user, subject)
when User then user_abilities()
else [] else []
end.concat(global_abilities(user)) end.concat(global_abilities(user))
end end
@ -35,6 +36,8 @@ class Ability
anonymous_project_abilities(subject) anonymous_project_abilities(subject)
when subject.is_a?(Group) || subject.respond_to?(:group) when subject.is_a?(Group) || subject.respond_to?(:group)
anonymous_group_abilities(subject) anonymous_group_abilities(subject)
when subject.is_a?(User)
anonymous_user_abilities()
else else
[] []
end end
@ -67,6 +70,10 @@ class Ability
# Allow to read issues by anonymous user if issue is not confidential # Allow to read issues by anonymous user if issue is not confidential
rules << :read_issue unless subject.is_a?(Issue) && subject.confidential? rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?
# Allow anonymous users to read project members if public is not a restricted level
restricted_public_level = current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
rules << :read_project_member unless restricted_public_level
rules - project_disabled_features_rules(project) rules - project_disabled_features_rules(project)
else else
[] []
@ -81,17 +88,23 @@ class Ability
end end
def anonymous_group_abilities(subject) def anonymous_group_abilities(subject)
rules = []
group = if subject.is_a?(Group) group = if subject.is_a?(Group)
subject subject
else else
subject.group subject.group
end end
if group && group.public? if group
[:read_group] rules << [:read_group] if group.public?
else
[] # Allow anonymous users to read project members if public is not a restricted level
restricted_public_level = current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
rules << [:read_group_members] unless restricted_public_level
end end
rules
end end
def anonymous_personal_snippet_abilities(snippet) def anonymous_personal_snippet_abilities(snippet)
@ -110,6 +123,11 @@ class Ability
end end
end end
def anonymous_user_abilities()
restricted_by_public = current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
[:read_user] unless restricted_by_public
end
def global_abilities(user) def global_abilities(user)
rules = [] rules = []
rules << :create_group if user.can_create_group rules << :create_group if user.can_create_group
@ -164,6 +182,7 @@ class Ability
:download_code, :download_code,
:fork_project, :fork_project,
:read_commit_status, :read_commit_status,
:read_project_members
] ]
end end
@ -285,7 +304,7 @@ class Ability
def group_abilities(user, group) def group_abilities(user, group)
rules = [] rules = []
rules << :read_group if can_read_group?(user, group) rules << [:read_group, :read_group_members] if can_read_group?(user, group)
# Only group masters and group owners can create new projects # Only group masters and group owners can create new projects
if group.has_master?(user) || group.has_owner?(user) || user.admin? if group.has_master?(user) || group.has_owner?(user) || user.admin?
@ -456,6 +475,10 @@ class Ability
rules rules
end end
def user_abilities()
[:read_user]
end
def abilities def abilities
@abilities ||= begin @abilities ||= begin
abilities = Six.new abilities = Six.new

4
app/models/user.rb
View file

@ -835,10 +835,6 @@ class User < ActiveRecord::Base
notification_settings.find_or_initialize_by(source: source) notification_settings.find_or_initialize_by(source: source)
end end
def public?
current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
end
private private
def projects_union def projects_union