[#465] fix best_role; fix projects api; fix project api specs

app/controllers/api/v1/projects_controller.rb

@@ -39,7 +39,7 @@ class Api::V1::ProjectsController < Api::V1::BaseController
     else
       @project.owner = nil
     end
-    authorize @project.owner, :write? if @project.owner != current_user
+    authorize @project
     create_subject @project
   end
 
@@ -61,7 +61,9 @@ class Api::V1::ProjectsController < Api::V1::BaseController
 
   def fork(is_alias = false)
     owner = (Group.find params[:group_id] if params[:group_id].present?) || current_user
+    authorize @project, :show?
     authorize owner, :write? if owner.is_a?(Group)
+
     if forked = @project.fork(owner, new_name: params[:fork_name], is_alias: is_alias) and forked.valid?
       render_json_response forked, 'Project has been forked successfully'
     else
@@ -70,6 +72,7 @@ class Api::V1::ProjectsController < Api::V1::BaseController
   end
 
   def alias
+    authorize @project
     fork(true)
   end
 

app/controllers/application_controller.rb

@@ -19,7 +19,7 @@ class ApplicationController < ActionController::Base
                 only: [:create, :destroy, :open_id, :cancel, :publish, :change_visibility] # :update
   before_action :banned?
   after_action -> { EventLog.current_controller = nil }
-  after_action :verify_authorized
+  after_action :verify_authorized, unless: :devise_controller?
 
   helper_method :get_owner
 

app/controllers/home_controller.rb

@@ -1,5 +1,6 @@
 class HomeController < ApplicationController
   before_action :authenticate_user!, only: [:activity, :issues, :pull_requests]
+  after_action :verify_authorized, :except => [:root, :activity, :issues, :pull_requests]
 
   def root
     respond_to do |format|

app/models/user.rb

@@ -180,8 +180,13 @@ class User < Avatar
 
       gr = gr.where('groups.id != ?', target.owner.id) # exclude target owner group from users group list
     end
+
+    if target.class == Group
+      roles += target.actors.where(actor_id: self.id, actor_type: 'User') # user is member of a target group
+    else
+      roles += rel.where(actor_id: gr.pluck('DISTINCT groups.id'), actor_type: 'Group') # user group is member
+    end
     roles += rel.where(actor_id: self.id, actor_type: 'User') # user is member
-    roles += rel.where(actor_id: gr.pluck('DISTINCT groups.id'), actor_type: 'Group') # user group is member
     roles.map(&:role).uniq
   end
 

app/policies/project_policy.rb

@@ -22,7 +22,7 @@ class ProjectPolicy < ApplicationPolicy
   def create?
     return true if is_admin?
     return false if user.guest?
-    !record.try(:owner) || owner_policy.write?
+    owner_policy.write?
   end
 
   def update?