From 61dd92aaff822759941bb224de9f45bfc5f7cc9b Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Fri, 5 May 2017 13:24:07 +0200 Subject: Authorize build update on per object basis --- app/controllers/projects/builds_controller.rb | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'app/controllers/projects/builds_controller.rb') diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb index e24fc45d166..d97bc93f8dc 100644 --- a/app/controllers/projects/builds_controller.rb +++ b/app/controllers/projects/builds_controller.rb @@ -1,7 +1,11 @@ class Projects::BuildsController < Projects::ApplicationController before_action :build, except: [:index, :cancel_all] - before_action :authorize_read_build!, only: [:index, :show, :status, :raw, :trace] - before_action :authorize_update_build!, except: [:index, :show, :status, :raw, :trace] + + before_action :authorize_read_build!, + only: [:index, :show, :status, :raw, :trace] + before_action :authorize_update_build!, + except: [:index, :show, :status, :raw, :trace, :cancel_all] + layout 'project' def index @@ -28,7 +32,12 @@ class Projects::BuildsController < Projects::ApplicationController end def cancel_all - @project.builds.running_or_pending.each(&:cancel) + return access_denied! unless can?(current_user, :update_build, project) + + @project.builds.running_or_pending.each do |build| + build.cancel if can?(current_user, :update_build, build) + end + redirect_to namespace_project_builds_path(project.namespace, project) end @@ -107,8 +116,14 @@ class Projects::BuildsController < Projects::ApplicationController private + def authorize_update_build! + return access_denied! unless can?(current_user, :update_build, build) + end + def build - @build ||= project.builds.find_by!(id: params[:id]).present(current_user: current_user) + @build ||= project.builds + .find_by!(id: params[:id]) + .present(current_user: current_user) end def build_path(build) -- cgit v1.2.1 From 3264e09c6fbe07831db74b83d6a6620d9f8f47d9 Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Fri, 5 May 2017 13:25:48 +0200 Subject: Require build to be present in the controller --- app/controllers/projects/builds_controller.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'app/controllers/projects/builds_controller.rb') diff --git a/app/controllers/projects/builds_controller.rb b/app/controllers/projects/builds_controller.rb index d97bc93f8dc..0fd35bcb790 100644 --- a/app/controllers/projects/builds_controller.rb +++ b/app/controllers/projects/builds_controller.rb @@ -121,8 +121,7 @@ class Projects::BuildsController < Projects::ApplicationController end def build - @build ||= project.builds - .find_by!(id: params[:id]) + @build ||= project.builds.find(params[:id]) .present(current_user: current_user) end -- cgit v1.2.1