BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
57519565
Commit
57519565
authored
Mar 29, 2016
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move verification to abilities
parent
b05f0a48
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
47 additions
and
12 deletions
+47
-12
group_members_controller.rb
app/controllers/groups/group_members_controller.rb
+7
-0
project_members_controller.rb
app/controllers/projects/project_members_controller.rb
+7
-0
users_controller.rb
app/controllers/users_controller.rb
+5
-3
ability.rb
app/models/ability.rb
+28
-5
user.rb
app/models/user.rb
+0
-4
No files found.
app/controllers/groups/group_members_controller.rb
View file @
57519565
class
Groups
::
GroupMembersController
<
Groups
::
ApplicationController
class
Groups
::
GroupMembersController
<
Groups
::
ApplicationController
# Authorize
# Authorize
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
]
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
]
before_action
:authorize_read_group_members
,
only:
[
:index
]
def
index
def
index
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
...
@@ -79,4 +80,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
...
@@ -79,4 +80,10 @@ class Groups::GroupMembersController < Groups::ApplicationController
def
member_params
def
member_params
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
)
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
)
end
end
private
def
authorize_read_group_members
render_404
unless
can?
(
current_user
,
:read_group_members
,
@group
)
end
end
end
app/controllers/projects/project_members_controller.rb
View file @
57519565
class
Projects
::
ProjectMembersController
<
Projects
::
ApplicationController
class
Projects
::
ProjectMembersController
<
Projects
::
ApplicationController
# Authorize
# Authorize
before_action
:authorize_admin_project_member!
,
except: :leave
before_action
:authorize_admin_project_member!
,
except: :leave
before_action
:authorize_read_project_members
,
only: :index
def
index
def
index
@project_members
=
@project
.
project_members
@project_members
=
@project
.
project_members
...
@@ -112,4 +113,10 @@ class Projects::ProjectMembersController < Projects::ApplicationController
...
@@ -112,4 +113,10 @@ class Projects::ProjectMembersController < Projects::ApplicationController
def
member_params
def
member_params
params
.
require
(
:project_member
).
permit
(
:user_id
,
:access_level
)
params
.
require
(
:project_member
).
permit
(
:user_id
,
:access_level
)
end
end
private
def
authorize_read_project_members
can?
(
current_user
,
:read_project_members
,
@project
)
end
end
end
app/controllers/users_controller.rb
View file @
57519565
class
UsersController
<
ApplicationController
class
UsersController
<
ApplicationController
skip_before_action
:authenticate_user!
skip_before_action
:authenticate_user!
before_action
:set_user
#TO-DO Remove this "set_user" before action. It is not good to use before filters for loading database records.
before_filter
:authorize_read_user
,
only:
[
:show
]
before_action
:set_user
,
except:
[
:show
]
before_action
:authorize_read_user
,
only:
[
:show
]
def
show
def
show
respond_to
do
|
format
|
respond_to
do
|
format
|
...
@@ -76,7 +77,8 @@ class UsersController < ApplicationController
...
@@ -76,7 +77,8 @@ class UsersController < ApplicationController
private
private
def
authorize_read_user
def
authorize_read_user
render_404
unless
@user
.
public?
set_user
render_404
unless
can?
(
current_user
,
:read_user
,
@user
)
end
end
def
set_user
def
set_user
...
...
app/models/ability.rb
View file @
57519565
...
@@ -18,6 +18,7 @@ class Ability
...
@@ -18,6 +18,7 @@ class Ability
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
when
User
then
user_abilities
()
else
[]
else
[]
end
.
concat
(
global_abilities
(
user
))
end
.
concat
(
global_abilities
(
user
))
end
end
...
@@ -35,6 +36,8 @@ class Ability
...
@@ -35,6 +36,8 @@ class Ability
anonymous_project_abilities
(
subject
)
anonymous_project_abilities
(
subject
)
when
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
when
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
anonymous_group_abilities
(
subject
)
anonymous_group_abilities
(
subject
)
when
subject
.
is_a?
(
User
)
anonymous_user_abilities
()
else
else
[]
[]
end
end
...
@@ -67,6 +70,10 @@ class Ability
...
@@ -67,6 +70,10 @@ class Ability
# Allow to read issues by anonymous user if issue is not confidential
# Allow to read issues by anonymous user if issue is not confidential
rules
<<
:read_issue
unless
subject
.
is_a?
(
Issue
)
&&
subject
.
confidential?
rules
<<
:read_issue
unless
subject
.
is_a?
(
Issue
)
&&
subject
.
confidential?
# Allow anonymous users to read project members if public is not a restricted level
restricted_public_level
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
rules
<<
:read_project_member
unless
restricted_public_level
rules
-
project_disabled_features_rules
(
project
)
rules
-
project_disabled_features_rules
(
project
)
else
else
[]
[]
...
@@ -81,17 +88,23 @@ class Ability
...
@@ -81,17 +88,23 @@ class Ability
end
end
def
anonymous_group_abilities
(
subject
)
def
anonymous_group_abilities
(
subject
)
rules
=
[]
group
=
if
subject
.
is_a?
(
Group
)
group
=
if
subject
.
is_a?
(
Group
)
subject
subject
else
else
subject
.
group
subject
.
group
end
end
if
group
&&
group
.
public?
if
group
[
:read_group
]
rules
<<
[
:read_group
]
if
group
.
public?
else
[]
# Allow anonymous users to read project members if public is not a restricted level
restricted_public_level
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
rules
<<
[
:read_group_members
]
unless
restricted_public_level
end
end
rules
end
end
def
anonymous_personal_snippet_abilities
(
snippet
)
def
anonymous_personal_snippet_abilities
(
snippet
)
...
@@ -110,6 +123,11 @@ class Ability
...
@@ -110,6 +123,11 @@ class Ability
end
end
end
end
def
anonymous_user_abilities
()
restricted_by_public
=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
[
:read_user
]
unless
restricted_by_public
end
def
global_abilities
(
user
)
def
global_abilities
(
user
)
rules
=
[]
rules
=
[]
rules
<<
:create_group
if
user
.
can_create_group
rules
<<
:create_group
if
user
.
can_create_group
...
@@ -164,6 +182,7 @@ class Ability
...
@@ -164,6 +182,7 @@ class Ability
:download_code
,
:download_code
,
:fork_project
,
:fork_project
,
:read_commit_status
,
:read_commit_status
,
:read_project_members
]
]
end
end
...
@@ -285,7 +304,7 @@ class Ability
...
@@ -285,7 +304,7 @@ class Ability
def
group_abilities
(
user
,
group
)
def
group_abilities
(
user
,
group
)
rules
=
[]
rules
=
[]
rules
<<
:read_group
if
can_read_group?
(
user
,
group
)
rules
<<
[
:read_group
,
:read_group_members
]
if
can_read_group?
(
user
,
group
)
# Only group masters and group owners can create new projects
# Only group masters and group owners can create new projects
if
group
.
has_master?
(
user
)
||
group
.
has_owner?
(
user
)
||
user
.
admin?
if
group
.
has_master?
(
user
)
||
group
.
has_owner?
(
user
)
||
user
.
admin?
...
@@ -456,6 +475,10 @@ class Ability
...
@@ -456,6 +475,10 @@ class Ability
rules
rules
end
end
def
user_abilities
()
[
:read_user
]
end
def
abilities
def
abilities
@abilities
||=
begin
@abilities
||=
begin
abilities
=
Six
.
new
abilities
=
Six
.
new
...
...
app/models/user.rb
View file @
57519565
...
@@ -835,10 +835,6 @@ class User < ActiveRecord::Base
...
@@ -835,10 +835,6 @@ class User < ActiveRecord::Base
notification_settings
.
find_or_initialize_by
(
source:
source
)
notification_settings
.
find_or_initialize_by
(
source:
source
)
end
end
def
public?
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
private
private
def
projects_union
def
projects_union
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment