Commit 494c6dde authored by Darby Frey's avatar Darby Frey

Refactoring and test clean up

parent a2eba097
# frozen_string_literal: true # frozen_string_literal: true
class Projects::Ci::SecureFilesController < Projects::ApplicationController class Projects::Ci::SecureFilesController < Projects::ApplicationController
before_action :check_can_collaborate! before_action :authorize_read_secure_files!
feature_category :pipeline_authoring feature_category :pipeline_authoring
def show def show
end end
private
def check_can_collaborate!
render_404 unless can?(current_user, :read_secure_files, project)
end
end end
...@@ -463,7 +463,6 @@ class ProjectPolicy < BasePolicy ...@@ -463,7 +463,6 @@ class ProjectPolicy < BasePolicy
enable :register_project_runners enable :register_project_runners
enable :update_runners_registration_token enable :update_runners_registration_token
enable :admin_project_google_cloud enable :admin_project_google_cloud
enable :read_secure_files
enable :admin_secure_files enable :admin_secure_files
end end
......
...@@ -52,17 +52,18 @@ module API ...@@ -52,17 +52,18 @@ module API
body secure_file.file.read body secure_file.file.read
end end
# Additional authorization check for admin endpoints
# All APIs defined below this block will require admin level permissions
before do
authorize! :admin_secure_files, user_project
end
desc 'Upload a Secure File' desc 'Upload a Secure File'
params do params do
requires :name, type: String, desc: 'The name of the file' requires :name, type: String, desc: 'The name of the file'
requires :file, types: [Rack::Multipart::UploadedFile, ::API::Validations::Types::WorkhorseFile], desc: 'The secure file to be uploaded' requires :file, types: [Rack::Multipart::UploadedFile, ::API::Validations::Types::WorkhorseFile], desc: 'The secure file to be uploaded'
optional :permissions, type: String, desc: 'The file permissions', default: 'read_only', values: %w[read_only read_write execute] optional :permissions, type: String, desc: 'The file permissions', default: 'read_only', values: %w[read_only read_write execute]
end end
before do
authorize! :admin_secure_files, user_project
end
route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true
post ':id/secure_files' do post ':id/secure_files' do
secure_file = user_project.secure_files.new( secure_file = user_project.secure_files.new(
...@@ -82,11 +83,6 @@ module API ...@@ -82,11 +83,6 @@ module API
end end
desc 'Delete an individual Secure File' desc 'Delete an individual Secure File'
before do
authorize! :admin_secure_files, user_project
end
route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true route_setting :authentication, basic_auth_personal_access_token: true, job_token_allowed: true
delete ':id/secure_files/:secure_file_id' do delete ':id/secure_files/:secure_file_id' do
secure_file = user_project.secure_files.find(params[:secure_file_id]) secure_file = user_project.secure_files.find(params[:secure_file_id])
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment