Commit 0189ee97 authored by randx's avatar randx

Security for online editor. Replace dev_access?, master_access? with can? method usage

parent 5ec1ad8b
...@@ -48,5 +48,13 @@ class TreeController < ProjectResourceController ...@@ -48,5 +48,13 @@ class TreeController < ProjectResourceController
unless @tree.is_blob? && @tree.text? unless @tree.is_blob? && @tree.text?
redirect_to project_tree_path(@project, @id), notice: "You can only edit text files" redirect_to project_tree_path(@project, @id), notice: "You can only edit text files"
end end
allowed = if project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, project)
else
can?(current_user, :push_code, project)
end
return access_denied! unless allowed
end end
end end
...@@ -59,4 +59,12 @@ module TreeHelper ...@@ -59,4 +59,12 @@ module TreeHelper
def tree_join(*args) def tree_join(*args)
File.join(*args) File.join(*args)
end end
def allowed_tree_edit?
if @project.protected_branch? @ref
can?(current_user, :push_code_to_protected_branches, @project)
else
can?(current_user, :push_code, @project)
end
end
end end
...@@ -35,9 +35,14 @@ class Ability ...@@ -35,9 +35,14 @@ class Ability
] if project.report_access_for?(user) ] if project.report_access_for?(user)
rules << [ rules << [
:write_wiki :write_wiki,
:push_code
] if project.dev_access_for?(user) ] if project.dev_access_for?(user)
rules << [
:push_code_to_protected_branches
] if project.master_access_for?(user)
rules << [ rules << [
:modify_issue, :modify_issue,
:modify_snippet, :modify_snippet,
......
...@@ -53,6 +53,6 @@ module Authority ...@@ -53,6 +53,6 @@ module Authority
end end
def master_access_for?(user) def master_access_for?(user)
!users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty? || owner_id == user.id !users_projects.where(user_id: user.id, project_access: [UsersProject::MASTER]).empty?
end end
end end
...@@ -181,4 +181,9 @@ module Repository ...@@ -181,4 +181,9 @@ module Repository
def http_url_to_repo def http_url_to_repo
http_url = [Gitlab.config.url, "/", path, ".git"].join('') http_url = [Gitlab.config.url, "/", path, ".git"].join('')
end end
# Check if current branch name is marked as protected in the system
def protected_branch? branch_name
protected_branches.map(&:name).include?(branch_name)
end
end end
.btn-group.tree-btn-group .btn-group.tree-btn-group
-# only show edit link for text files -# only show edit link for text files
- if @tree.text? - if @tree.text?
= link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small" = link_to "edit", edit_project_tree_path(@project, @id), class: "btn very_small", disabled: !allowed_tree_edit?
= link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank" = link_to "raw", project_blob_path(@project, @id), class: "btn very_small", target: "_blank"
-# only show normal/blame view links for text files -# only show normal/blame view links for text files
- if @tree.text? - if @tree.text?
......
module Grack module Grack
class Auth < Rack::Auth::Basic class Auth < Rack::Auth::Basic
attr_accessor :user, :project
def valid? def valid?
# Authentication with username and password # Authentication with username and password
email, password = @auth.credentials email, password = @auth.credentials
user = User.find_by_email(email) self.user = User.find_by_email(email)
return false unless user.try(:valid_password?, password) return false unless user.try(:valid_password?, password)
# Set GL_USER env variable # Set GL_USER env variable
...@@ -18,28 +19,39 @@ module Grack ...@@ -18,28 +19,39 @@ module Grack
# Find project by PATH_INFO from env # Find project by PATH_INFO from env
if m = /^\/([\w-]+).git/.match(@request.path_info).to_a if m = /^\/([\w-]+).git/.match(@request.path_info).to_a
return false unless project = Project.find_by_path(m.last) self.project = Project.find_by_path(m.last)
return false unless project
end end
# Git upload and receive # Git upload and receive
if @request.get? if @request.get?
true validate_get_request
elsif @request.post? elsif @request.post?
if @request.path_info.end_with?('git-upload-pack') validate_post_request
return project.dev_access_for?(user)
elsif @request.path_info.end_with?('git-receive-pack')
if project.protected_branches.map(&:name).include?(current_ref)
project.master_access_for?(user)
else
project.dev_access_for?(user)
end
else
false
end
else else
false false
end end
end# valid? end
def validate_get_request
true
end
def validate_post_request
if @request.path_info.end_with?('git-upload-pack')
can?(user, :push_code, project)
elsif @request.path_info.end_with?('git-receive-pack')
action = if project.protected_branch?(current_ref)
:push_code_to_protected_branches
else
:push_code
end
can?(user, action, project)
else
false
end
end
def current_ref def current_ref
if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/ if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment