Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
57519565
Commit
57519565
authored
Mar 29, 2016
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move verification to abilities
parent
b05f0a48
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
47 additions
and
12 deletions
+47
-12
app/controllers/groups/group_members_controller.rb
app/controllers/groups/group_members_controller.rb
+7
-0
app/controllers/projects/project_members_controller.rb
app/controllers/projects/project_members_controller.rb
+7
-0
app/controllers/users_controller.rb
app/controllers/users_controller.rb
+5
-3
app/models/ability.rb
app/models/ability.rb
+28
-5
app/models/user.rb
app/models/user.rb
+0
-4
No files found.
app/controllers/groups/group_members_controller.rb
View file @
57519565
class
Groups::GroupMembersController
<
Groups
::
ApplicationController
class
Groups::GroupMembersController
<
Groups
::
ApplicationController
# Authorize
# Authorize
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
]
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
]
before_action
:authorize_read_group_members
,
only:
[
:index
]
def
index
def
index
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
...
@@ -79,4 +80,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
...
@@ -79,4 +80,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
def
member_params
def
member_params
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
)
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
)
end
end
private
def
authorize_read_group_members
render_404
unless
can?
(
current_user
,
:read_group_members
,
@group
)
end
end
end
app/controllers/projects/project_members_controller.rb
View file @
57519565
class
Projects::ProjectMembersController
<
Projects
::
ApplicationController
class
Projects::ProjectMembersController
<
Projects
::
ApplicationController
# Authorize
# Authorize
before_action
:authorize_admin_project_member!
,
except: :leave
before_action
:authorize_admin_project_member!
,
except: :leave
before_action
:authorize_read_project_members
,
only: :index
def
index
def
index
@project_members
=
@project
.
project_members
@project_members
=
@project
.
project_members
...
@@ -112,4 +113,10 @@ class Projects::ProjectMembersController < Projects::ApplicationController
...
@@ -112,4 +113,10 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def
member_params
def
member_params
params
.
require
(
:project_member
).
permit
(
:user_id
,
:access_level
)
params
.
require
(
:project_member
).
permit
(
:user_id
,
:access_level
)
end
end
private
def
authorize_read_project_members
can?
(
current_user
,
:read_project_members
,
@project
)
end
end
end
app/controllers/users_controller.rb
View file @
57519565
class
UsersController
<
ApplicationController
class
UsersController
<
ApplicationController
skip_before_action
:authenticate_user!
skip_before_action
:authenticate_user!
before_action
:set_user
#TO-DO Remove this "set_user" before action. It is not good to use before filters for loading database records.
before_filter
:authorize_read_user
,
only:
[
:show
]
before_action
:set_user
,
except:
[
:show
]
before_action
:authorize_read_user
,
only:
[
:show
]
def
show
def
show
respond_to
do
|
format
|
respond_to
do
|
format
|
...
@@ -76,7 +77,8 @@ class UsersController < ApplicationController
...
@@ -76,7 +77,8 @@ class UsersController < ApplicationController
private
private
def
authorize_read_user
def
authorize_read_user
render_404
unless
@user
.
public?
set_user
render_404
unless
can?
(
current_user
,
:read_user
,
@user
)
end
end
def
set_user
def
set_user
...
...
app/models/ability.rb
View file @
57519565
...
@@ -18,6 +18,7 @@ class Ability
...
@@ -18,6 +18,7 @@ class Ability
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
when
User
then
user_abilities
()
else
[]
else
[]
end
.
concat
(
global_abilities
(
user
))
end
.
concat
(
global_abilities
(
user
))
end
end
...
@@ -35,6 +36,8 @@ class Ability
...
@@ -35,6 +36,8 @@ class Ability
anonymous_project_abilities
(
subject
)
anonymous_project_abilities
(
subject
)
when
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
when
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
anonymous_group_abilities
(
subject
)
anonymous_group_abilities
(
subject
)
when
subject
.
is_a?
(
User
)
anonymous_user_abilities
()
else
else
[]
[]
end
end
...
@@ -67,6 +70,10 @@ class Ability
...
@@ -67,6 +70,10 @@ class Ability
# Allow to read issues by anonymous user if issue is not confidential
# Allow to read issues by anonymous user if issue is not confidential
rules
<<
:read_issue
unless
subject
.
is_a?
(
Issue
)
&&
subject
.
confidential?
rules
<<
:read_issue
unless
subject
.
is_a?
(
Issue
)
&&
subject
.
confidential?
# Allow anonymous users to read project members if public is not a restricted level
restricted_public_level
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
rules
<<
:read_project_member
unless
restricted_public_level
rules
-
project_disabled_features_rules
(
project
)
rules
-
project_disabled_features_rules
(
project
)
else
else
[]
[]
...
@@ -81,17 +88,23 @@ class Ability
...
@@ -81,17 +88,23 @@ class Ability
end
end
def
anonymous_group_abilities
(
subject
)
def
anonymous_group_abilities
(
subject
)
rules
=
[]
group
=
if
subject
.
is_a?
(
Group
)
group
=
if
subject
.
is_a?
(
Group
)
subject
subject
else
else
subject
.
group
subject
.
group
end
end
if
group
&&
group
.
public?
if
group
[
:read_group
]
rules
<<
[
:read_group
]
if
group
.
public?
else
[]
# Allow anonymous users to read project members if public is not a restricted level
restricted_public_level
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
rules
<<
[
:read_group_members
]
unless
restricted_public_level
end
end
rules
end
end
def
anonymous_personal_snippet_abilities
(
snippet
)
def
anonymous_personal_snippet_abilities
(
snippet
)
...
@@ -110,6 +123,11 @@ class Ability
...
@@ -110,6 +123,11 @@ class Ability
end
end
end
end
def
anonymous_user_abilities
()
restricted_by_public
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
[
:read_user
]
unless
restricted_by_public
end
def
global_abilities
(
user
)
def
global_abilities
(
user
)
rules
=
[]
rules
=
[]
rules
<<
:create_group
if
user
.
can_create_group
rules
<<
:create_group
if
user
.
can_create_group
...
@@ -164,6 +182,7 @@ class Ability
...
@@ -164,6 +182,7 @@ class Ability
:download_code
,
:download_code
,
:fork_project
,
:fork_project
,
:read_commit_status
,
:read_commit_status
,
:read_project_members
]
]
end
end
...
@@ -285,7 +304,7 @@ class Ability
...
@@ -285,7 +304,7 @@ class Ability
def
group_abilities
(
user
,
group
)
def
group_abilities
(
user
,
group
)
rules
=
[]
rules
=
[]
rules
<<
:read_group
if
can_read_group?
(
user
,
group
)
rules
<<
[
:read_group
,
:read_group_members
]
if
can_read_group?
(
user
,
group
)
# Only group masters and group owners can create new projects
# Only group masters and group owners can create new projects
if
group
.
has_master?
(
user
)
||
group
.
has_owner?
(
user
)
||
user
.
admin?
if
group
.
has_master?
(
user
)
||
group
.
has_owner?
(
user
)
||
user
.
admin?
...
@@ -456,6 +475,10 @@ class Ability
...
@@ -456,6 +475,10 @@ class Ability
rules
rules
end
end
def
user_abilities
()
[
:read_user
]
end
def
abilities
def
abilities
@abilities
||=
begin
@abilities
||=
begin
abilities
=
Six
.
new
abilities
=
Six
.
new
...
...
app/models/user.rb
View file @
57519565
...
@@ -835,10 +835,6 @@ class User < ActiveRecord::Base
...
@@ -835,10 +835,6 @@ class User < ActiveRecord::Base
notification_settings
.
find_or_initialize_by
(
source:
source
)
notification_settings
.
find_or_initialize_by
(
source:
source
)
end
end
def
public?
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
private
private
def
projects_union
def
projects_union
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment