From b565f33472d960e37ed41a8a0c09fbbc3ea65f1e Mon Sep 17 00:00:00 2001 From: randx Date: Mon, 10 Sep 2012 09:06:11 +0300 Subject: Auth for API --- lib/api/helpers.rb | 16 ++++++++++++++++ lib/api/issues.rb | 2 ++ lib/api/milestones.rb | 2 ++ lib/api/projects.rb | 7 +++++++ 4 files changed, 27 insertions(+) (limited to 'lib/api') diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index ce7b7b497fc..c0ba874790a 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -21,5 +21,21 @@ module Gitlab def authenticate! error!({'message' => '401 Unauthorized'}, 401) unless current_user end + + def authorize! action, subject + unless abilities.allowed?(current_user, action, subject) + error!({'message' => '403 Forbidden'}, 403) + end + end + + private + + def abilities + @abilities ||= begin + abilities = Six.new + abilities << Ability + abilities + end + end end end diff --git a/lib/api/issues.rb b/lib/api/issues.rb index 68cb7e059b9..4cfa7500e33 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -79,6 +79,8 @@ module Gitlab # PUT /projects/:id/issues/:issue_id put ":id/issues/:issue_id" do @issue = user_project.issues.find(params[:issue_id]) + authorize! :modify_issue, @issue + parameters = { title: (params[:title] || @issue.title), description: (params[:description] || @issue.description), diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb index 29f5efa41d6..7c68466760f 100644 --- a/lib/api/milestones.rb +++ b/lib/api/milestones.rb @@ -61,6 +61,8 @@ module Gitlab # Example Request: # PUT /projects/:id/milestones/:milestone_id put ":id/milestones/:milestone_id" do + authorize! :admin_milestone, user_project + @milestone = user_project.milestones.find(params[:milestone_id]) parameters = { title: (params[:title] || @milestone.title), diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 7da83429dd4..05b07e8def4 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -74,6 +74,7 @@ module Gitlab # Example Request: # POST /projects/:id/users post ":id/users" do + authorize! :admin_project, user_project user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access]) nil end @@ -87,6 +88,7 @@ module Gitlab # Example Request: # PUT /projects/:id/add_users put ":id/users" do + authorize! :admin_project, user_project user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access]) nil end @@ -99,6 +101,7 @@ module Gitlab # Example Request: # DELETE /projects/:id/users delete ":id/users" do + authorize! :admin_project, user_project user_project.delete_users_ids_from_team(params[:user_ids].values) nil end @@ -186,6 +189,8 @@ module Gitlab # PUT /projects/:id/snippets/:snippet_id put ":id/snippets/:snippet_id" do @snippet = user_project.snippets.find(params[:snippet_id]) + authorize! :modify_snippet, @snippet + parameters = { title: (params[:title] || @snippet.title), file_name: (params[:file_name] || @snippet.file_name), @@ -209,6 +214,8 @@ module Gitlab # DELETE /projects/:id/snippets/:snippet_id delete ":id/snippets/:snippet_id" do @snippet = user_project.snippets.find(params[:snippet_id]) + authorize! :modify_snippet, @snippet + @snippet.destroy end -- cgit v1.2.1 From 915dac0055cd801c080ebcd37749f4fc6d2d12c4 Mon Sep 17 00:00:00 2001 From: Alex Denisov <1101.debian@gmail.com> Date: Mon, 10 Sep 2012 10:41:46 +0300 Subject: Error throwing moved to api_helper --- lib/api/helpers.rb | 27 ++++++++++++++++++++++++--- lib/api/issues.rb | 6 +++--- lib/api/milestones.rb | 4 ++-- lib/api/projects.rb | 10 +++++----- 4 files changed, 34 insertions(+), 13 deletions(-) (limited to 'lib/api') diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index c0ba874790a..3a385f1582a 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -8,7 +8,7 @@ module Gitlab if @project ||= current_user.projects.find_by_id(params[:id]) || current_user.projects.find_by_code(params[:id]) else - error!({'message' => '404 Not found'}, 404) + not_found! end @project @@ -19,15 +19,36 @@ module Gitlab end def authenticate! - error!({'message' => '401 Unauthorized'}, 401) unless current_user + unauthorized! unless current_user end def authorize! action, subject unless abilities.allowed?(current_user, action, subject) - error!({'message' => '403 Forbidden'}, 403) + forbidden! end end + # error helpers + + def forbidden! + error!({'message' => '403 Forbidden'}, 403) + end + + def not_found!(resource = nil) + message = ["404"] + message << resource if resource + message << "Not Found" + error!({'message' => message.join(' ')}, 404) + end + + def unauthorized! + error!({'message' => '401 Unauthorized'}, 401) + end + + def not_allowed! + error!({'message' => 'method not allowed'}, 405) + end + private def abilities diff --git a/lib/api/issues.rb b/lib/api/issues.rb index 4cfa7500e33..659f065e390 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -60,7 +60,7 @@ module Gitlab if @issue.save present @issue, with: Entities::Issue else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -93,7 +93,7 @@ module Gitlab if @issue.update_attributes(parameters) present @issue, with: Entities::Issue else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -105,7 +105,7 @@ module Gitlab # Example Request: # DELETE /projects/:id/issues/:issue_id delete ":id/issues/:issue_id" do - error!({'message' => 'method not allowed'}, 405) + not_allowed! end end end diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb index 7c68466760f..4b0424ba444 100644 --- a/lib/api/milestones.rb +++ b/lib/api/milestones.rb @@ -45,7 +45,7 @@ module Gitlab if @milestone.save present @milestone, with: Entities::Milestone else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -74,7 +74,7 @@ module Gitlab if @milestone.update_attributes(parameters) present @milestone, with: Entities::Milestone else - error!({'message' => '404 Not found'}, 404) + not_found! end end end diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 05b07e8def4..9d33323e5fb 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -50,7 +50,7 @@ module Gitlab if @project.saved? present @project, with: Entities::Project else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -172,7 +172,7 @@ module Gitlab if @snippet.save present @snippet, with: Entities::ProjectSnippet else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -201,7 +201,7 @@ module Gitlab if @snippet.update_attributes(parameters) present @snippet, with: Entities::ProjectSnippet else - error!({'message' => '404 Not found'}, 404) + not_found! end end @@ -244,10 +244,10 @@ module Gitlab ref = params[:sha] commit = user_project.commit ref - error!('404 Commit Not Found', 404) unless commit + not_found! "Commit" unless commit tree = Tree.new commit.tree, user_project, ref, params[:filepath] - error!('404 File Not Found', 404) unless tree.try(:tree) + not_found! "File" unless tree.try(:tree) if tree.text? encoding = Gitlab::Encode.detect_encoding(tree.data) -- cgit v1.2.1 From a065557208d6076ec869144346e06c7de714389c Mon Sep 17 00:00:00 2001 From: Alex Denisov <1101.debian@gmail.com> Date: Mon, 10 Sep 2012 13:49:00 +0300 Subject: Common errors method added --- lib/api/helpers.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'lib/api') diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 3a385f1582a..054eb2d3f70 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -31,22 +31,26 @@ module Gitlab # error helpers def forbidden! - error!({'message' => '403 Forbidden'}, 403) + render_api_error!('403 Forbidden', 403) end def not_found!(resource = nil) message = ["404"] message << resource if resource message << "Not Found" - error!({'message' => message.join(' ')}, 404) + render_api_error!(message.join(' '), 404) end def unauthorized! - error!({'message' => '401 Unauthorized'}, 401) + render_api_error!('401 Unauthorized', 401) end def not_allowed! - error!({'message' => 'method not allowed'}, 405) + render_api_error!('Method Not Allowed', 405) + end + + def render_api_error!(message, status) + error!({'message' => message}, status) end private -- cgit v1.2.1