end
def authenticate_admin!
- return redirect_to(new_user_session_path) unless current_user.is_admin?
+ return render_404 unless current_user.is_admin?
end
def authorize_project!(action)
- return redirect_to(new_user_session_path) unless can?(current_user, action, project)
+ return render_404 unless can?(current_user, action, project)
+ end
+
+ def access_denied!
+ render_404
end
def method_missing(method_sym, *arguments, &block)
class IssuesController < ApplicationController
before_filter :authenticate_user!
before_filter :project
+ before_filter :issue, :only => [:edit, :update, :destroy, :show]
# Authorize
before_filter :add_project_abilities
before_filter :authorize_read_issue!
before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
- before_filter :authorize_admin_issue!, :only => [:destroy]
respond_to :js
end
def edit
- @issue = @project.issues.find(params[:id])
respond_with(@issue)
end
def show
- @issue = @project.issues.find(params[:id])
@notes = @issue.notes
@note = @project.notes.new(:noteable => @issue)
end
end
def update
- @issue = @project.issues.find(params[:id])
@issue.update_attributes(params[:issue])
respond_to do |format|
def destroy
- @issue = @project.issues.find(params[:id])
+ return access_denied! unless can?(current_user, :admin_issue, @issue)
+
@issue.destroy
respond_to do |format|
render :nothing => true
end
+
+ protected
+
+ def issue
+ @issue ||= @project.issues.find(params[:id])
+ end
end
# Authorize
before_filter :add_project_abilities
before_filter :authorize_write_note!, :only => [:create]
- before_filter :authorize_admin_note!, :only => [:destroy]
respond_to :js
def destroy
@note = @project.notes.find(params[:id])
+
+ return access_denied! unless can?(current_user, :admin_note, @note)
+
@note.destroy
respond_to do |format|
def destroy
@snippet = @project.snippets.find(params[:id])
- authorize_admin_snippet! unless @snippet.author == current_user
+
+ return access_denied! unless can?(current_user, :admin_snippet, @snippet)
@snippet.destroy
- respond_to do |format|
- format.js { render :nothing => true }
- end
+ redirect_to project_snippets_path(@project)
end
end
# Authorize
before_filter :add_project_abilities
- before_filter :authorize_read_team_member!
- before_filter :authorize_admin_team_member!, :only => [:new, :create, :destroy, :update]
+ before_filter :authorize_read_project!
+ before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
def show
@team_member = project.users_projects.find(params[:id])
def self.allowed(object, subject)
case subject.class.name
when "Project" then project_abilities(object, subject)
+ when "Issue" then issue_abilities(object, subject)
+ when "Note" then note_abilities(object, subject)
+ when "Snippet" then snippet_abilities(object, subject)
else []
end
end
rules.flatten
end
+
+ class << self
+ [:issue, :note, :snippet].each do |name|
+ define_method "#{name}_abilities" do |user, subject|
+ if subject.author == user
+ [
+ :"read_#{name}",
+ :"write_#{name}",
+ :"admin_#{name}"
+ ]
+ else
+ subject.respond_to?(:project) ?
+ project_abilities(user, subject.project) : []
+ end
+ end
+ end
+ end
end
end
describe "GET /project_code/blob" do
- it { blob_project_path(@project).should be_allowed_for @u1 }
- it { blob_project_path(@project).should be_allowed_for @u3 }
- it { blob_project_path(@project).should be_denied_for :admin }
- it { blob_project_path(@project).should be_denied_for @u2 }
- it { blob_project_path(@project).should be_denied_for :user }
- it { blob_project_path(@project).should be_denied_for :visitor }
+ before do
+ @commit = @project.commit
+ @path = @commit.tree.contents.select { |i| i.is_a?(Grit::Blob)}.first.name
+ @blob_path = blob_project_path(@project, :commit_id => @commit.id, :path => @path)
+ end
+
+ it { @blob_path.should be_allowed_for @u1 }
+ it { @blob_path.should be_allowed_for @u3 }
+ it { @blob_path.should be_denied_for :admin }
+ it { @blob_path.should be_denied_for @u2 }
+ it { @blob_path.should be_denied_for :user }
+ it { @blob_path.should be_denied_for :visitor }
end
describe "GET /project_code/edit" do
end
describe "GET /login" do
- it { new_user_session_path.should be_denied_for @u1 }
- it { new_user_session_path.should be_denied_for :admin }
- it { new_user_session_path.should be_denied_for :user }
- it { new_user_session_path.should be_allowed_for :visitor }
+ #it { new_user_session_path.should be_denied_for @u1 }
+ #it { new_user_session_path.should be_denied_for :admin }
+ #it { new_user_session_path.should be_denied_for :user }
+ it { new_user_session_path.should_not be_404_for :visitor }
end
describe "GET /keys" do
end
end
+RSpec::Matchers.define :be_404_for do |user|
+ match do |url|
+ include UrlAccess
+ url_404?(user, url)
+ end
+end
+
module UrlAccess
def url_allowed?(user, url)
emulate_user(user)
visit url
- result = (current_path == url)
+ (page.status_code != 404 && current_path != new_user_session_path)
end
def url_denied?(user, url)
emulate_user(user)
visit url
- result = (current_path != url)
+ (page.status_code == 404 || current_path == new_user_session_path)
+ end
+
+ def url_404?(user, url)
+ emulate_user(user)
+ visit url
+ page.status_code == 404
end
def emulate_user(user)