diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/helpers.rb | 45 | ||||
| -rw-r--r-- | lib/api/issues.rb | 8 | ||||
| -rw-r--r-- | lib/api/milestones.rb | 6 | ||||
| -rw-r--r-- | lib/api/projects.rb | 17 | ||||
| -rw-r--r-- | lib/gitlab/backend/gitolite.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/backend/gitolite_config.rb | 13 | ||||
| -rw-r--r-- | lib/gitlab/merge.rb | 3 |
7 files changed, 67 insertions, 27 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index ce7b7b497fc..054eb2d3f70 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -8,7 +8,7 @@ module Gitlab if @project ||= current_user.projects.find_by_id(params[:id]) || current_user.projects.find_by_code(params[:id]) else - error!({'message' => '404 Not found'}, 404) + not_found! end @project @@ -19,7 +19,48 @@ module Gitlab end def authenticate! - error!({'message' => '401 Unauthorized'}, 401) unless current_user + unauthorized! unless current_user + end + + def authorize! action, subject + unless abilities.allowed?(current_user, action, subject) + forbidden! + end + end + + # error helpers + + def forbidden! + render_api_error!('403 Forbidden', 403) + end + + def not_found!(resource = nil) + message = ["404"] + message << resource if resource + message << "Not Found" + render_api_error!(message.join(' '), 404) + end + + def unauthorized! + render_api_error!('401 Unauthorized', 401) + end + + def not_allowed! + render_api_error!('Method Not Allowed', 405) + end + + def render_api_error!(message, status) + error!({'message' => message}, status) + end + + private + + def abilities + @abilities ||= begin + abilities = Six.new + abilities << Ability + abilities + end end end end diff --git a/lib/api/issues.rb b/lib/api/issues.rb index 68cb7e059b9..659f065e390 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -60,7 +60,7 @@ module Gitlab if @issue.save present @issue, with: Entities::Issue else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -79,6 +79,8 @@ module Gitlab # PUT /projects/:id/issues/:issue_id put ":id/issues/:issue_id" do @issue = user_project.issues.find(params[:issue_id]) + authorize! :modify_issue, @issue + parameters = { title: (params[:title] || @issue.title), description: (params[:description] || @issue.description), @@ -91,7 +93,7 @@ module Gitlab if @issue.update_attributes(parameters) present @issue, with: Entities::Issue else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -103,7 +105,7 @@ module Gitlab # Example Request: # DELETE /projects/:id/issues/:issue_id delete ":id/issues/:issue_id" do - error!({'message' => 'method not allowed'}, 405) + not_allowed! end end end diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb index 29f5efa41d6..4b0424ba444 100644 --- a/lib/api/milestones.rb +++ b/lib/api/milestones.rb @@ -45,7 +45,7 @@ module Gitlab if @milestone.save present @milestone, with: Entities::Milestone else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -61,6 +61,8 @@ module Gitlab # Example Request: # PUT /projects/:id/milestones/:milestone_id put ":id/milestones/:milestone_id" do + authorize! :admin_milestone, user_project + @milestone = user_project.milestones.find(params[:milestone_id]) parameters = { title: (params[:title] || @milestone.title), @@ -72,7 +74,7 @@ module Gitlab if @milestone.update_attributes(parameters) present @milestone, with: Entities::Milestone else - error!({'message' => '404 Not found'}, 404) + not_found! end end end diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 876de321c9c..dfdd359c2b2 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -50,7 +50,7 @@ module Gitlab if @project.saved? present @project, with: Entities::Project else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -74,6 +74,7 @@ module Gitlab # Example Request: # POST /projects/:id/users post ":id/users" do + authorize! :admin_project, user_project user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access]) nil end @@ -87,6 +88,7 @@ module Gitlab # Example Request: # PUT /projects/:id/add_users put ":id/users" do + authorize! :admin_project, user_project user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access]) nil end @@ -99,6 +101,7 @@ module Gitlab # Example Request: # DELETE /projects/:id/users delete ":id/users" do + authorize! :admin_project, user_project user_project.delete_users_ids_from_team(params[:user_ids].values) nil end @@ -209,7 +212,7 @@ module Gitlab if @snippet.save present @snippet, with: Entities::ProjectSnippet else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -226,6 +229,8 @@ module Gitlab # PUT /projects/:id/snippets/:snippet_id put ":id/snippets/:snippet_id" do @snippet = user_project.snippets.find(params[:snippet_id]) + authorize! :modify_snippet, @snippet + parameters = { title: (params[:title] || @snippet.title), file_name: (params[:file_name] || @snippet.file_name), @@ -236,7 +241,7 @@ module Gitlab if @snippet.update_attributes(parameters) present @snippet, with: Entities::ProjectSnippet else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -249,6 +254,8 @@ module Gitlab # DELETE /projects/:id/snippets/:snippet_id delete ":id/snippets/:snippet_id" do @snippet = user_project.snippets.find(params[:snippet_id]) + authorize! :modify_snippet, @snippet + @snippet.destroy end @@ -277,10 +284,10 @@ module Gitlab ref = params[:sha] commit = user_project.commit ref - error!('404 Commit Not Found', 404) unless commit + not_found! "Commit" unless commit tree = Tree.new commit.tree, user_project, ref, params[:filepath] - error!('404 File Not Found', 404) unless tree.try(:tree) + not_found! "File" unless tree.try(:tree) if tree.text? encoding = Gitlab::Encode.detect_encoding(tree.data) diff --git a/lib/gitlab/backend/gitolite.rb b/lib/gitlab/backend/gitolite.rb index 658182c7858..fe5dcef40a9 100644 --- a/lib/gitlab/backend/gitolite.rb +++ b/lib/gitlab/backend/gitolite.rb @@ -35,7 +35,7 @@ module Gitlab end def enable_automerge - config.admin_all_repo!(project) + config.admin_all_repo! end alias_method :create_repository, :update_repository diff --git a/lib/gitlab/backend/gitolite_config.rb b/lib/gitlab/backend/gitolite_config.rb index 61ec8c11cd7..0d636d2d789 100644 --- a/lib/gitlab/backend/gitolite_config.rb +++ b/lib/gitlab/backend/gitolite_config.rb @@ -148,18 +148,7 @@ module Gitlab # Enable access to all repos for gitolite admin. # We use it for accept merge request feature def admin_all_repo - owner_name = "" - - # Read gitolite-admin user - # - begin - repo = conf.get_repo("gitolite-admin") - owner_name = repo.permissions[0]["RW+"][""][0] - raise StandardError if owner_name.blank? - rescue => ex - puts "Can't determine gitolite-admin owner".red - raise StandardError - end + owner_name = Gitlab.config.gitolite_admin_key # @ALL repos premission for gitolite owner repo_name = "@all" diff --git a/lib/gitlab/merge.rb b/lib/gitlab/merge.rb index 134695ce21c..180135745f8 100644 --- a/lib/gitlab/merge.rb +++ b/lib/gitlab/merge.rb @@ -21,8 +21,7 @@ module Gitlab if output =~ /CONFLICT/ false else - repo.git.push({}, "origin", merge_request.target_branch) - true + !!repo.git.push({}, "origin", merge_request.target_branch) end end end |