gitlab-org--gitlab-foss/config/routes.rb
Marin Jankovski 8ae3112b3f Merge branch 'upload-xss-access-control' into 'master'
Fix note attachments XSS and access control

Replaces the reverted #1528, as proposed in https://gitlab.com/gitlab-org/omnibus-gitlab/issues/434, as discussed with @dzaporozhets and as summarized in #2032.

@marin Could you take a look at the nginx config and apply it to Omnibus once this gets merged?

See merge request !1553
2015-02-20 22:47:54 +00:00

405 lines
11 KiB
Ruby

require 'sidekiq/web'
require 'api/api'
Gitlab::Application.routes.draw do
use_doorkeeper do
controllers applications: 'oauth/applications',
authorized_applications: 'oauth/authorized_applications',
authorizations: 'oauth/authorizations'
end
#
# Search
#
get 'search' => 'search#show'
get 'search/autocomplete' => 'search#autocomplete', as: :search_autocomplete
# API
API::API.logger Rails.logger
mount API::API => '/api'
# Get all keys of user
get ':username.keys' => 'profiles/keys#get_keys' , constraints: { username: /.*/ }
constraint = lambda { |request| request.env['warden'].authenticate? and request.env['warden'].user.admin? }
constraints constraint do
mount Sidekiq::Web, at: '/admin/sidekiq', as: :sidekiq
end
# Enable Grack support
mount Grack::Bundle.new({
git_path: Gitlab.config.git.bin_path,
project_root: Gitlab.config.gitlab_shell.repos_path,
upload_pack: Gitlab.config.gitlab_shell.upload_pack,
receive_pack: Gitlab.config.gitlab_shell.receive_pack
}), at: '/', constraints: lambda { |request| /[-\/\w\.]+\.git\//.match(request.path_info) }, via: [:get, :post]
#
# Help
#
get 'help' => 'help#index'
get 'help/:category/:file' => 'help#show', as: :help_page
get 'help/shortcuts'
#
# Global snippets
#
resources :snippets do
member do
get 'raw'
end
end
get '/s/:username' => 'snippets#user_index', as: :user_snippets, constraints: { username: /.*/ }
#
# Import
#
namespace :import do
resource :github, only: [:create, :new], controller: :github do
get :status
get :callback
get :jobs
end
resource :gitlab, only: [:create, :new], controller: :gitlab do
get :status
get :callback
get :jobs
end
resource :gitorious, only: [:create, :new], controller: :gitorious do
get :status
get :callback
get :jobs
end
end
#
# Uploads
#
scope path: :uploads do
# Note attachments and User/Group/Project avatars
get ":model/:mounted_as/:id/:filename",
to: "uploads#show",
constraints: { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /.+/ }
# Project markdown uploads
get ":id/:secret/:filename",
to: "projects/uploads#show",
constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/, filename: /.+/ }
end
#
# Explore area
#
namespace :explore do
resources :projects, only: [:index] do
collection do
get :trending
get :starred
end
end
resources :groups, only: [:index]
root to: 'projects#trending'
end
# Compatibility with old routing
get 'public' => 'explore/projects#index'
get 'public/projects' => 'explore/projects#index'
#
# Attachments serving
#
get 'files/:type/:id/:filename' => 'files#download', constraints: { id: /\d+/, type: /[a-z]+/, filename: /.+/ }
#
# Admin Area
#
namespace :admin do
resources :users, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ } do
resources :keys, only: [:show, :destroy]
member do
put :team_update
put :block
put :unblock
delete 'remove/:email_id', action: 'remove_email', as: 'remove_email'
end
end
resources :applications
resources :groups, constraints: { id: /[^\/]+/ } do
member do
put :project_teams_update
end
end
resources :hooks, only: [:index, :create, :destroy] do
get :test
end
resources :broadcast_messages, only: [:index, :create, :destroy]
resource :logs, only: [:show]
resource :background_jobs, controller: 'background_jobs', only: [:show]
resources :projects, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ }, only: [:index, :show] do
member do
put :transfer
end
end
resource :application_settings, only: [:show, :update] do
resources :services
end
root to: 'dashboard#index'
end
#
# Profile Area
#
resource :profile, only: [:show, :update] do
member do
get :history
get :design
get :applications
put :reset_private_token
put :update_username
end
scope module: :profiles do
resource :account, only: [:show, :update]
resource :notifications, only: [:show, :update]
resource :password, only: [:new, :create, :edit, :update] do
member do
put :reset
end
end
resources :keys
resources :emails, only: [:index, :create, :destroy]
resources :groups, only: [:index] do
member do
delete :leave
end
end
resource :avatar, only: [:destroy]
end
end
get 'u/:username/calendar' => 'users#calendar', as: :user_calendar,
constraints: { username: /(?:[^.]|\.(?!atom$))+/, format: /atom/ }
get '/u/:username' => 'users#show', as: :user,
constraints: { username: /(?:[^.]|\.(?!atom$))+/, format: /atom/ }
#
# Dashboard Area
#
resource :dashboard, controller: 'dashboard', only: [:show] do
member do
get :projects
get :issues
get :merge_requests
end
end
#
# Groups Area
#
resources :groups, constraints: { id: /(?:[^.]|\.(?!atom$))+/, format: /atom/ } do
member do
get :issues
get :merge_requests
get :members
get :projects
end
scope module: :groups do
resources :group_members, only: [:create, :update, :destroy]
resource :avatar, only: [:destroy]
resources :milestones
end
end
resources :projects, constraints: { id: /[^\/]+/ }, only: [:new, :create]
devise_for :users, controllers: { omniauth_callbacks: :omniauth_callbacks, registrations: :registrations , passwords: :passwords, sessions: :sessions, confirmations: :confirmations }
devise_scope :user do
get '/users/auth/:provider/omniauth_error' => 'omniauth_callbacks#omniauth_error', as: :omniauth_error
end
#
# Project Area
#
resources :projects, constraints: { id: /[a-zA-Z.0-9_\-]+\/[a-zA-Z.0-9_\-]+/ }, except: [:new, :create, :index], path: '/' do
member do
put :transfer
post :archive
post :unarchive
post :upload_image
post :toggle_star
post :markdown_preview
get :autocomplete_sources
end
scope module: :projects do
# Blob routes:
get '/new/:id', to: 'blob#new', constraints: { id: /.+/ }, as: 'new_blob'
post '/create/:id', to: 'blob#create', constraints: { id: /.+/ }, as: 'create_blob'
get '/edit/:id', to: 'blob#edit', constraints: { id: /.+/ }, as: 'edit_blob'
put '/update/:id', to: 'blob#update', constraints: { id: /.+/ }, as: 'update_blob'
post '/preview/:id', to: 'blob#preview', constraints: { id: /.+/ }, as: 'preview_blob'
resources :blob, only: [:show, :destroy], constraints: { id: /.+/, format: false } do
get :diff, on: :member
end
resources :raw, only: [:show], constraints: { id: /.+/ }
resources :tree, only: [:show], constraints: { id: /.+/, format: /(html|js)/ }
resource :avatar, only: [:show, :destroy]
resources :commit, only: [:show], constraints: { id: /[[:alnum:]]{6,40}/ } do
get :branches, on: :member
end
resources :commits, only: [:show], constraints: { id: /(?:[^.]|\.(?!atom$))+/, format: /atom/ }
resources :compare, only: [:index, :create]
resources :blame, only: [:show], constraints: { id: /.+/ }
resources :network, only: [:show], constraints: { id: /(?:[^.]|\.(?!json$))+/, format: /json/ }
resources :graphs, only: [:show], constraints: { id: /(?:[^.]|\.(?!json$))+/, format: /json/ } do
member do
get :commits
end
end
get '/compare/:from...:to' => 'compare#show', :as => 'compare',
:constraints => { from: /.+/, to: /.+/ }
resources :snippets, constraints: { id: /\d+/ } do
member do
get 'raw'
end
end
resources :wikis, only: [:show, :edit, :destroy, :create], constraints: { id: /[a-zA-Z.0-9_\-\/]+/ } do
collection do
get :pages
put ':id' => 'wikis#update'
get :git_access
end
member do
get 'history'
end
end
resource :fork, only: [:new, :create]
resource :import, only: [:new, :create, :show]
resource :repository, only: [:show, :create] do
member do
get 'archive', constraints: { format: Gitlab::Regex.archive_formats_regex }
end
end
resources :services, constraints: { id: /[^\/]+/ }, only: [:index, :edit, :update] do
member do
get :test
end
end
resources :deploy_keys, constraints: { id: /\d+/ } do
member do
put :enable
put :disable
end
end
resources :branches, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
resources :tags, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
resources :protected_branches, only: [:index, :create, :update, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
resources :refs, only: [] do
collection do
get 'switch'
end
member do
# tree viewer logs
get 'logs_tree', constraints: { id: Gitlab::Regex.git_reference_regex }
get 'logs_tree/:path' => 'refs#logs_tree', as: :logs_file, constraints: {
id: Gitlab::Regex.git_reference_regex,
path: /.*/
}
end
end
resources :merge_requests, constraints: { id: /\d+/ }, except: [:destroy] do
member do
get :diffs
post :automerge
get :automerge_check
get :ci_status
end
collection do
get :branch_from
get :branch_to
get :update_branches
end
end
resources :hooks, only: [:index, :create, :destroy], constraints: { id: /\d+/ } do
member do
get :test
end
end
resources :team, controller: 'team_members', only: [:index]
resources :milestones, except: [:destroy], constraints: { id: /\d+/ } do
member do
put :sort_issues
put :sort_merge_requests
end
end
resources :labels, constraints: { id: /\d+/ } do
collection do
post :generate
end
end
resources :issues, constraints: { id: /\d+/ }, except: [:destroy] do
collection do
post :bulk_update
end
end
resources :team_members, except: [:index, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ } do
collection do
delete :leave
# Used for import team
# from another project
get :import
post :apply_import
end
end
resources :notes, only: [:index, :create, :destroy, :update], constraints: { id: /\d+/ } do
member do
delete :delete_attachment
end
end
end
end
get ':id' => 'namespaces#show', constraints: { id: /(?:[^.]|\.(?!atom$))+/, format: /atom/ }
root to: 'dashboard#show'
end