Merge branch 'master' into project_hooks_api

author: miks <miks@cubesystems.lv> 2012-09-10 16:47:31 +0300
committer: miks <miks@cubesystems.lv> 2012-09-10 16:47:31 +0300
commit: 2e34a6d3c40a60ed689de5d7870fe663b1959e88 (patch)
tree: d2c1d12930948c11e2c767e8688ee49ac8c79ea4 /lib/api
parent: fdb5c82c331e43dc5d0466d2a4c90ce3e649fc7b (diff)
parent: 8674fba173e520a67d60e6b5289dcd1bd648d537 (diff)
download: gitlab-ce-2e34a6d3c40a60ed689de5d7870fe663b1959e88.tar.gz
4 files changed, 64 insertions, 12 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index ce7b7b497fc..054eb2d3f70 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -8,7 +8,7 @@ module Gitlab
       if @project ||= current_user.projects.find_by_id(params[:id]) ||
                       current_user.projects.find_by_code(params[:id])
       else
-        error!({'message' => '404 Not found'}, 404)
+        not_found!
       end
 
       @project
@@ -19,7 +19,48 @@ module Gitlab
     end
 
     def authenticate!
-      error!({'message' => '401 Unauthorized'}, 401) unless current_user
+      unauthorized! unless current_user
+    end
+
+    def authorize! action, subject
+      unless abilities.allowed?(current_user, action, subject)
+        forbidden!
+      end
+    end
+
+    # error helpers
+
+    def forbidden!
+      render_api_error!('403 Forbidden', 403)
+    end
+
+    def not_found!(resource = nil)
+      message = ["404"]
+      message << resource if resource
+      message << "Not Found"
+      render_api_error!(message.join(' '), 404)
+    end
+
+    def unauthorized!
+      render_api_error!('401 Unauthorized', 401)
+    end
+
+    def not_allowed!
+      render_api_error!('Method Not Allowed', 405)
+    end
+
+    def render_api_error!(message, status)
+      error!({'message' => message}, status)
+    end
+
+    private 
+
+    def abilities
+      @abilities ||= begin
+                       abilities = Six.new
+                       abilities << Ability
+                       abilities
+                     end
     end
   end
 end
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 68cb7e059b9..659f065e390 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -60,7 +60,7 @@ module Gitlab
         if @issue.save
           present @issue, with: Entities::Issue
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -79,6 +79,8 @@ module Gitlab
       #   PUT /projects/:id/issues/:issue_id
       put ":id/issues/:issue_id" do
         @issue = user_project.issues.find(params[:issue_id])
+        authorize! :modify_issue, @issue
+
         parameters = {
           title: (params[:title] || @issue.title),
           description: (params[:description] || @issue.description),
@@ -91,7 +93,7 @@ module Gitlab
         if @issue.update_attributes(parameters)
           present @issue, with: Entities::Issue
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -103,7 +105,7 @@ module Gitlab
       # Example Request:
       #   DELETE /projects/:id/issues/:issue_id
       delete ":id/issues/:issue_id" do
-        error!({'message' => 'method not allowed'}, 405)
+        not_allowed!
       end
     end
   end
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb
index 29f5efa41d6..4b0424ba444 100644
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -45,7 +45,7 @@ module Gitlab
         if @milestone.save
           present @milestone, with: Entities::Milestone
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -61,6 +61,8 @@ module Gitlab
       # Example Request:
       #   PUT /projects/:id/milestones/:milestone_id
       put ":id/milestones/:milestone_id" do
+        authorize! :admin_milestone, user_project
+
         @milestone = user_project.milestones.find(params[:milestone_id])
         parameters = {
           title: (params[:title] || @milestone.title),
@@ -72,7 +74,7 @@ module Gitlab
         if @milestone.update_attributes(parameters)
           present @milestone, with: Entities::Milestone
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
     end
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 876de321c9c..dfdd359c2b2 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -50,7 +50,7 @@ module Gitlab
         if @project.saved?
           present @project, with: Entities::Project
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -74,6 +74,7 @@ module Gitlab
       # Example Request:
       #   POST /projects/:id/users
       post ":id/users" do
+        authorize! :admin_project, user_project
         user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
         nil
       end
@@ -87,6 +88,7 @@ module Gitlab
       # Example Request:
       #   PUT /projects/:id/add_users
       put ":id/users" do
+        authorize! :admin_project, user_project
         user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
         nil
       end
@@ -99,6 +101,7 @@ module Gitlab
       # Example Request:
       #   DELETE /projects/:id/users
       delete ":id/users" do
+        authorize! :admin_project, user_project
         user_project.delete_users_ids_from_team(params[:user_ids].values)
         nil
       end
@@ -209,7 +212,7 @@ module Gitlab
         if @snippet.save
           present @snippet, with: Entities::ProjectSnippet
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -226,6 +229,8 @@ module Gitlab
       #   PUT /projects/:id/snippets/:snippet_id
       put ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         parameters = {
           title: (params[:title] || @snippet.title),
           file_name: (params[:file_name] || @snippet.file_name),
@@ -236,7 +241,7 @@ module Gitlab
         if @snippet.update_attributes(parameters)
           present @snippet, with: Entities::ProjectSnippet
         else
-          error!({'message' => '404 Not found'}, 404)
+          not_found!
         end
       end
 
@@ -249,6 +254,8 @@ module Gitlab
       #   DELETE /projects/:id/snippets/:snippet_id
       delete ":id/snippets/:snippet_id" do
         @snippet = user_project.snippets.find(params[:snippet_id])
+        authorize! :modify_snippet, @snippet
+
         @snippet.destroy
       end
 
@@ -277,10 +284,10 @@ module Gitlab
         ref = params[:sha]
 
         commit = user_project.commit ref
-        error!('404 Commit Not Found', 404) unless commit
+        not_found! "Commit" unless commit
 
         tree = Tree.new commit.tree, user_project, ref, params[:filepath]
-        error!('404 File Not Found', 404) unless tree.try(:tree)
+        not_found! "File" unless tree.try(:tree)
 
         if tree.text?
           encoding = Gitlab::Encode.detect_encoding(tree.data)
author	miks <miks@cubesystems.lv>	2012-09-10 16:47:31 +0300
committer	miks <miks@cubesystems.lv>	2012-09-10 16:47:31 +0300
commit	2e34a6d3c40a60ed689de5d7870fe663b1959e88 (patch)
tree	d2c1d12930948c11e2c767e8688ee49ac8c79ea4 /lib/api
parent	fdb5c82c331e43dc5d0466d2a4c90ce3e649fc7b (diff)
parent	8674fba173e520a67d60e6b5289dcd1bd648d537 (diff)
download	gitlab-ce-2e34a6d3c40a60ed689de5d7870fe663b1959e88.tar.gz