From b565f33472d960e37ed41a8a0c09fbbc3ea65f1e Mon Sep 17 00:00:00 2001
From: randx <dmitriy.zaporozhets@gmail.com>
Date: Mon, 10 Sep 2012 09:06:11 +0300
Subject: [PATCH] Auth for API
---
lib/api/helpers.rb | 16 ++++++++++++++++
lib/api/issues.rb | 2 ++
lib/api/milestones.rb | 2 ++
lib/api/projects.rb | 7 +++++++
4 files changed, 27 insertions(+)
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index ce7b7b497fc..c0ba874790a 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,5 +21,21 @@ module Gitlab
def authenticate!
error!({'message' => '401 Unauthorized'}, 401) unless current_user
end
+
+ def authorize! action, subject
+ unless abilities.allowed?(current_user, action, subject)
+ error!({'message' => '403 Forbidden'}, 403)
+ end
+ end
+
+ private
+
+ def abilities
+ @abilities ||= begin
+ abilities = Six.new
+ abilities << Ability
+ abilities
+ end
+ end
end
end
diff --git a/lib/api/issues.rb b/lib/api/issues.rb
index 68cb7e059b9..4cfa7500e33 100644
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
@@ -79,6 +79,8 @@ module Gitlab
# PUT /projects/:id/issues/:issue_id
put ":id/issues/:issue_id" do
@issue = user_project.issues.find(params[:issue_id])
+ authorize! :modify_issue, @issue
+
parameters = {
title: (params[:title] || @issue.title),
description: (params[:description] || @issue.description),
diff --git a/lib/api/milestones.rb b/lib/api/milestones.rb
index 29f5efa41d6..7c68466760f 100644
--- a/lib/api/milestones.rb
+++ b/lib/api/milestones.rb
@@ -61,6 +61,8 @@ module Gitlab
# Example Request:
# PUT /projects/:id/milestones/:milestone_id
put ":id/milestones/:milestone_id" do
+ authorize! :admin_milestone, user_project
+
@milestone = user_project.milestones.find(params[:milestone_id])
parameters = {
title: (params[:title] || @milestone.title),
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 7da83429dd4..05b07e8def4 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -74,6 +74,7 @@ module Gitlab
# Example Request:
# POST /projects/:id/users
post ":id/users" do
+ authorize! :admin_project, user_project
user_project.add_users_ids_to_team(params[:user_ids].values, params[:project_access])
nil
end
@@ -87,6 +88,7 @@ module Gitlab
# Example Request:
# PUT /projects/:id/add_users
put ":id/users" do
+ authorize! :admin_project, user_project
user_project.update_users_ids_to_role(params[:user_ids].values, params[:project_access])
nil
end
@@ -99,6 +101,7 @@ module Gitlab
# Example Request:
# DELETE /projects/:id/users
delete ":id/users" do
+ authorize! :admin_project, user_project
user_project.delete_users_ids_from_team(params[:user_ids].values)
nil
end
@@ -186,6 +189,8 @@ module Gitlab
# PUT /projects/:id/snippets/:snippet_id
put ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id])
+ authorize! :modify_snippet, @snippet
+
parameters = {
title: (params[:title] || @snippet.title),
file_name: (params[:file_name] || @snippet.file_name),
@@ -209,6 +214,8 @@ module Gitlab
# DELETE /projects/:id/snippets/:snippet_id
delete ":id/snippets/:snippet_id" do
@snippet = user_project.snippets.find(params[:snippet_id])
+ authorize! :modify_snippet, @snippet
+
@snippet.destroy
end
--
GitLab