Commit 9df6f7bf authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

authorized_projects and authorized_groups methods for user

parent 83f2a387
...@@ -5,8 +5,10 @@ class DashboardController < ApplicationController ...@@ -5,8 +5,10 @@ class DashboardController < ApplicationController
before_filter :event_filter, only: :index before_filter :event_filter, only: :index
def index def index
@groups = current_user.accessed_groups @groups = current_user.authorized_groups
@projects = @projects.page(params[:page]).per(30) @projects = @projects.page(params[:page]).per(30)
@events = Event.in_projects(current_user.project_ids) @events = Event.in_projects(current_user.project_ids)
@events = @event_filter.apply_filter(@events) @events = @event_filter.apply_filter(@events)
@events = @events.limit(20).offset(params[:offset] || 0) @events = @events.limit(20).offset(params[:offset] || 0)
...@@ -43,7 +45,7 @@ class DashboardController < ApplicationController ...@@ -43,7 +45,7 @@ class DashboardController < ApplicationController
protected protected
def projects def projects
@projects = current_user.projects_sorted_by_activity @projects = current_user.authorized_projects.sorted_by_activity
end end
def event_filter def event_filter
......
...@@ -5,6 +5,9 @@ class GroupsController < ApplicationController ...@@ -5,6 +5,9 @@ class GroupsController < ApplicationController
before_filter :group before_filter :group
before_filter :projects before_filter :projects
# Authorize
before_filter :authorize_read_group!
def show def show
@events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0) @events = Event.in_projects(project_ids).limit(20).offset(params[:offset] || 0)
@last_push = current_user.recent_push @last_push = current_user.recent_push
...@@ -54,16 +57,17 @@ class GroupsController < ApplicationController ...@@ -54,16 +57,17 @@ class GroupsController < ApplicationController
end end
def projects def projects
@projects ||= begin @projects ||= group.projects.authorized_for(current_user).sorted_by_activity
if can?(current_user, :manage_group, @group)
@group.projects
else
current_user.projects.where(namespace_id: @group.id)
end.sorted_by_activity.all
end
end end
def project_ids def project_ids
projects.map(&:id) projects.map(&:id)
end end
# Dont allow unauthorized access to group
def authorize_read_group!
unless projects.present? or can?(current_user, :manage_group, @group)
return render_404
end
end
end end
...@@ -76,6 +76,11 @@ class Project < ActiveRecord::Base ...@@ -76,6 +76,11 @@ class Project < ActiveRecord::Base
scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") } scope :sorted_by_activity, ->() { order("(SELECT max(events.created_at) FROM events WHERE events.project_id = projects.id) DESC") }
class << self class << self
def authorized_for user
projects = includes(:users_projects, :namespace)
projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
end
def active def active
joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC") joins(:issues, :notes, :merge_requests).order("issues.created_at, notes.created_at, merge_requests.created_at DESC")
end end
...@@ -285,9 +290,4 @@ class Project < ActiveRecord::Base ...@@ -285,9 +290,4 @@ class Project < ActiveRecord::Base
merge_requests merge_requests
end end
end end
def self.authorized_for user
projects = includes(:users_projects, :namespace)
projects = projects.where("users_projects.user_id = :user_id or projects.owner_id = :user_id or namespaces.owner_id = :user_id", user_id: user.id)
end
end end
...@@ -124,11 +124,15 @@ class User < ActiveRecord::Base ...@@ -124,11 +124,15 @@ class User < ActiveRecord::Base
end end
end end
def accessed_groups def authorized_groups
@accessed_groups ||= begin @authorized_groups ||= begin
groups = Group.where(id: self.projects.pluck(:namespace_id)).all groups = Group.where(id: self.projects.pluck(:namespace_id)).all
groups = groups + self.groups groups = groups + self.groups
groups.uniq groups.uniq
end end
end end
def authorized_projects
Project.authorized_for(self)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment