From 525a8cd3e96b7bae0acda8b6e94df529fa06ff6a Mon Sep 17 00:00:00 2001 From: Sato Hiroyuki Date: Tue, 29 Jan 2013 17:25:17 +0900 Subject: Switchable the main branch on network graph --- app/controllers/graph_controller.rb | 18 ++++++++++++++++++ app/controllers/projects_controller.rb | 10 ---------- app/controllers/refs_controller.rb | 2 ++ 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 app/controllers/graph_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/graph_controller.rb b/app/controllers/graph_controller.rb new file mode 100644 index 00000000000..30ec5e89db2 --- /dev/null +++ b/app/controllers/graph_controller.rb @@ -0,0 +1,18 @@ +class GraphController < ProjectResourceController + include ExtractsPath + + # Authorize + before_filter :authorize_read_project! + before_filter :authorize_code_access! + before_filter :require_non_empty_project + + def show + respond_to do |format| + format.html + format.json do + graph = Gitlab::Graph::JsonBuilder.new(project, @ref) + render :json => graph.to_json + end + end + end +end diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 6e5e1f91381..7978ea6222c 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -90,16 +90,6 @@ class ProjectsController < ProjectResourceController end end - def graph - respond_to do |format| - format.html - format.json do - graph = Gitlab::Graph::JsonBuilder.new(project) - render :json => graph.to_json - end - end - end - def destroy return access_denied! unless can?(current_user, :remove_project, project) diff --git a/app/controllers/refs_controller.rb b/app/controllers/refs_controller.rb index 09d9eb51b82..0e4dba3dc4b 100644 --- a/app/controllers/refs_controller.rb +++ b/app/controllers/refs_controller.rb @@ -13,6 +13,8 @@ class RefsController < ProjectResourceController format.html do new_path = if params[:destination] == "tree" project_tree_path(@project, (@ref + "/" + params[:path])) + elsif params[:destination] == "graph" + project_graph_path(@project, @ref) else project_commits_path(@project, @ref) end -- cgit v1.2.1 From e6002bdaffc819ea3b743955315cf50eb804dbdb Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 1 Feb 2013 19:04:11 +0200 Subject: Ability to manage and remove group as owner outside of admin area --- app/controllers/groups_controller.rb | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 72df170f1fd..7b8649a6bdf 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -6,6 +6,7 @@ class GroupsController < ApplicationController # Authorize before_filter :authorize_read_group!, except: [:new, :create] + before_filter :authorize_admin_group!, only: [:edit, :update, :destroy] before_filter :authorize_create_group!, only: [:new, :create] # Load group projects @@ -84,6 +85,31 @@ class GroupsController < ApplicationController redirect_to people_group_path(@group), notice: 'Users was successfully added.' end + def edit + end + + def update + group_params = params[:group].dup + owner_id =group_params.delete(:owner_id) + + if owner_id + @group.owner = User.find(owner_id) + end + + if @group.update_attributes(group_params) + redirect_to @group, notice: 'Group was successfully updated.' + else + render action: "edit" + end + end + + def destroy + @group.truncate_teams + @group.destroy + + redirect_to root_path, notice: 'Group was removed.' + end + protected def group @@ -106,6 +132,14 @@ class GroupsController < ApplicationController end def authorize_create_group! - can?(current_user, :create_group, nil) + unless can?(current_user, :create_group, nil) + return render_404 + end + end + + def authorize_admin_group! + unless can?(current_user, :manage_group, group) + return render_404 + end end end -- cgit v1.2.1 From 85de55a120a615f8cf51a343a89789b802d776e2 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Sat, 2 Feb 2013 20:32:13 +0200 Subject: Dont allow gitlab be loaded in iframe --- app/controllers/application_controller.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 74125e3308a..ca2a5623f42 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,6 +4,7 @@ class ApplicationController < ActionController::Base before_filter :set_current_user_for_observers before_filter :add_abilities before_filter :dev_tools if Rails.env == 'development' + before_filter :default_headers protect_from_forgery @@ -148,4 +149,8 @@ class ApplicationController < ActionController::Base Rack::MiniProfiler.authorize_request end + def default_headers + headers['X-Frame-Options'] = 'DENY' + headers['X-XSS-Protection'] = '1; mode=block' + end end -- cgit v1.2.1 From 27d9ac0fe8a33f0e94178c1f46826bc114e16467 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 4 Feb 2013 15:07:56 +0200 Subject: Make gitlab works with gitlab-shell --- app/controllers/application_controller.rb | 5 ----- 1 file changed, 5 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ca2a5623f42..1f211bac9c2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -10,11 +10,6 @@ class ApplicationController < ActionController::Base helper_method :abilities, :can? - rescue_from Gitlab::Gitolite::AccessDenied do |exception| - log_exception(exception) - render "errors/gitolite", layout: "errors", status: 500 - end - rescue_from Encoding::CompatibilityError do |exception| log_exception(exception) render "errors/encoding", layout: "errors", status: 500 -- cgit v1.2.1