Improve permissions on tags/branches

app/controllers/application_controller.rb

@@ -91,6 +91,10 @@ class ApplicationController < ActionController::Base
     return access_denied! unless can?(current_user, :download_code, project) or project.public?
   end
+  def authorize_push!
+    return access_denied! unless can?(current_user, :push_code, project)
+  end
+
   def authorize_create_team!
     return access_denied! unless can?(current_user, :create_team, nil)
   end

app/controllers/projects/branches_controller.rb

@@ -3,7 +3,9 @@ class Projects::BranchesController < Projects::ApplicationController
   before_filter :authorize_read_project!
   before_filter :require_non_empty_project
-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]
   def index
     @branches = Kaminari.paginate_array(@repository.branches).page(params[:page]).per(30)

app/controllers/projects/tags_controller.rb

 class Projects::TagsController < Projects::ApplicationController
   # Authorize
   before_filter :authorize_read_project!
-  before_filter :authorize_code_access!
   before_filter :require_non_empty_project
-  before_filter :authorize_admin_project!, only: [:destroy, :create]
+  before_filter :authorize_code_access!
+  before_filter :authorize_push!, only: [:create]
+  before_filter :authorize_admin_project!, only: [:destroy]
   def index
     @tags = Kaminari.paginate_array(@project.repository.tags).page(params[:page]).per(30)

app/views/projects/repositories/_filter.html.haml

@@ -10,6 +10,7 @@
 %hr
+- if can? current_user, :push_code, @project
   = link_to new_project_branch_path(@project), class: 'btn btn-create' do
     %i.icon-add-sign
     New branch