From dccfb374d396b1b7cbd86bde848165796618ef52 Mon Sep 17 00:00:00 2001
From: Nihad Abbasov <narkoz.2008@gmail.com>
Date: Fri, 6 Jun 2014 06:58:20 +0500
Subject: [PATCH] fix permissions for files API
---
lib/api/files.rb | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/api/files.rb b/lib/api/files.rb
index e0c46f92b84..e63e635a4d3 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,7 +2,6 @@ module API
# Projects API
class Files < Grape::API
before { authenticate! }
- before { authorize! :push_code, user_project }
resource :projects do
# Get file from repository
@@ -28,6 +27,8 @@ module API
# }
#
get ":id/repository/files" do
+ authorize! :download_code, user_project
+
required_attributes! [:file_path, :ref]
attrs = attributes_for_keys [:file_path, :ref]
ref = attrs.delete(:ref)
@@ -68,6 +69,8 @@ module API
# POST /projects/:id/repository/files
#
post ":id/repository/files" do
+ authorize! :push_code, user_project
+
required_attributes! [:file_path, :branch_name, :content, :commit_message]
attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
branch_name = attrs.delete(:branch_name)
@@ -98,6 +101,8 @@ module API
# PUT /projects/:id/repository/files
#
put ":id/repository/files" do
+ authorize! :push_code, user_project
+
required_attributes! [:file_path, :branch_name, :content, :commit_message]
attrs = attributes_for_keys [:file_path, :branch_name, :content, :commit_message, :encoding]
branch_name = attrs.delete(:branch_name)
@@ -128,6 +133,8 @@ module API
# DELETE /projects/:id/repository/files
#
delete ":id/repository/files" do
+ authorize! :push_code, user_project
+
required_attributes! [:file_path, :branch_name, :commit_message]
attrs = attributes_for_keys [:file_path, :branch_name, :commit_message]
branch_name = attrs.delete(:branch_name)
--
GitLab