From 61dd92aaff822759941bb224de9f45bfc5f7cc9b Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Fri, 5 May 2017 13:24:07 +0200 Subject: Authorize build update on per object basis --- app/controllers/projects/application_controller.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'app/controllers/projects/application_controller.rb') diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 89f1128ec36..afed0ac05a0 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -55,13 +55,15 @@ class Projects::ApplicationController < ApplicationController (current_user && current_user.already_forked?(project)) end - def authorize_project!(action) - return access_denied! unless can?(current_user, action, project) + def authorize_action!(action) + unless can?(current_user, action, project) + return access_denied! + end end def method_missing(method_sym, *arguments, &block) if method_sym.to_s =~ /\Aauthorize_(.*)!\z/ - authorize_project!($1.to_sym) + authorize_action!($1.to_sym) else super end -- cgit v1.2.1 From 7d02bcd2e0165a90a9f2c1edb34b064ff76afd69 Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Mon, 1 May 2017 13:46:30 -0700 Subject: Redirect from redirect routes to canonical routes --- app/controllers/projects/application_controller.rb | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'app/controllers/projects/application_controller.rb') diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 89f1128ec36..dbdf68776f1 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -1,4 +1,6 @@ class Projects::ApplicationController < ApplicationController + include RoutableActions + skip_before_action :authenticate_user! before_action :project before_action :repository @@ -24,20 +26,14 @@ class Projects::ApplicationController < ApplicationController end project_path = "#{namespace}/#{id}" - @project = Project.find_by_full_path(project_path) + @project = Project.find_by_full_path(project_path, follow_redirects: request.get?) if can?(current_user, :read_project, @project) && !@project.pending_delete? - if @project.path_with_namespace != project_path - redirect_to request.original_url.gsub(project_path, @project.path_with_namespace) - end + ensure_canonical_path(@project, project_path) else @project = nil - if current_user.nil? - authenticate_user! - else - render_404 - end + route_not_found end end -- cgit v1.2.1 From 9e48f02ea802814e4df1f1de5ed509942dca7581 Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Thu, 4 May 2017 14:20:13 -0700 Subject: Dry up routable lookups. Fixes #30317 Note: This changes the behavior of user lookups (see the spec change) so it acts the same way as groups and projects. Unauthenticated clients attempting to access a user page will be redirected to login whether the user exists and is publicly restricted, or does not exist at all. --- app/controllers/projects/application_controller.rb | 49 ++++++++++------------ 1 file changed, 23 insertions(+), 26 deletions(-) (limited to 'app/controllers/projects/application_controller.rb') diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index dbdf68776f1..2301e1cca77 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -2,6 +2,7 @@ class Projects::ApplicationController < ApplicationController include RoutableActions skip_before_action :authenticate_user! + before_action :redirect_git_extension before_action :project before_action :repository layout 'project' @@ -10,34 +11,30 @@ class Projects::ApplicationController < ApplicationController private - def project - unless @project - namespace = params[:namespace_id] - id = params[:project_id] || params[:id] - - # Redirect from - # localhost/group/project.git - # to - # localhost/group/project - # - if params[:format] == 'git' - redirect_to request.original_url.gsub(/\.git\/?\Z/, '') - return - end - - project_path = "#{namespace}/#{id}" - @project = Project.find_by_full_path(project_path, follow_redirects: request.get?) - - if can?(current_user, :read_project, @project) && !@project.pending_delete? - ensure_canonical_path(@project, project_path) - else - @project = nil - - route_not_found - end + def redirect_git_extension + # Redirect from + # localhost/group/project.git + # to + # localhost/group/project + # + if params[:format] == 'git' + redirect_to request.original_url.gsub(/\.git\/?\Z/, '') + return end + end + + def project + @project ||= find_routable!(Project, requested_full_path, extra_authorization_method: :project_not_being_deleted?) + end + + def requested_full_path + namespace = params[:namespace_id] + id = params[:project_id] || params[:id] + "#{namespace}/#{id}" + end - @project + def project_not_being_deleted?(project) + !project.pending_delete? end def repository -- cgit v1.2.1 From f05469f99b8c52c4dab7ac9160b47676c87124f9 Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Thu, 4 May 2017 17:06:01 -0700 Subject: Resolve discussions --- app/controllers/projects/application_controller.rb | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) (limited to 'app/controllers/projects/application_controller.rb') diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 2301e1cca77..25232fc9457 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -17,24 +17,17 @@ class Projects::ApplicationController < ApplicationController # to # localhost/group/project # - if params[:format] == 'git' - redirect_to request.original_url.gsub(/\.git\/?\Z/, '') - return - end + redirect_to url_for(params.merge(format: nil)) if params[:format] == 'git' end def project - @project ||= find_routable!(Project, requested_full_path, extra_authorization_method: :project_not_being_deleted?) - end - - def requested_full_path - namespace = params[:namespace_id] - id = params[:project_id] || params[:id] - "#{namespace}/#{id}" + @project ||= find_routable!(Project, + File.join(params[:namespace_id], params[:project_id] || params[:id]), + extra_authorization_proc: project_not_being_deleted?) end - def project_not_being_deleted?(project) - !project.pending_delete? + def project_not_being_deleted? + ->(project) { !project.pending_delete? } end def repository -- cgit v1.2.1 From e1c245af51e294c84552cff8021342e7ae493b8a Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Fri, 5 May 2017 10:48:01 -0700 Subject: Resolve discussions --- app/controllers/projects/application_controller.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'app/controllers/projects/application_controller.rb') diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb index 25232fc9457..b4b0dfc3eb8 100644 --- a/app/controllers/projects/application_controller.rb +++ b/app/controllers/projects/application_controller.rb @@ -21,13 +21,12 @@ class Projects::ApplicationController < ApplicationController end def project - @project ||= find_routable!(Project, - File.join(params[:namespace_id], params[:project_id] || params[:id]), - extra_authorization_proc: project_not_being_deleted?) - end + return @project if @project + + path = File.join(params[:namespace_id], params[:project_id] || params[:id]) + auth_proc = ->(project) { !project.pending_delete? } - def project_not_being_deleted? - ->(project) { !project.pending_delete? } + @project = find_routable!(Project, path, extra_authorization_proc: auth_proc) end def repository -- cgit v1.2.1