#465: wip

2015-03-20 02:45:15 +03:00 · 2015-03-20 02:45:15 +03:00 · a69b03b88c
parent d4d8f75f12
commit a69b03b88c
3 changed files with 42 additions and 14 deletions
--- a/app/controllers/platforms/platforms_controller.rb
+++ b/app/controllers/platforms/platforms_controller.rb
@ -5,6 +5,7 @@ class Platforms::PlatformsController < Platforms::BaseController
  skip_before_action :authenticate_user!, only: [:advisories, :members, :show] if APP_CONFIG['anonymous_access']

  def index
+    authorize :platform
    respond_to do |format|
      format.html {}

@ -17,22 +18,23 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def show
-    authorize @platform = Platform.find_cached(params[:id])
  end

  def new
+    authorize @platform = Platform.new
    @admin_uname  = current_user.uname
    @admin_id     = current_user.id
-    @platform     = Platform.new
  end

  def edit
+    authorize @platform
    @admin_id = @platform.owner.id
    @admin_uname = @platform.owner.uname
  end

  def create
-    @admin_id = params[:admin_id]
+    authorize @platform = Platform.new(params[:platform])
+    @admin_id    = params[:admin_id]
    @admin_uname = params[:admin_uname]
    # FIXME: do not allow manipulate owner model, only platforms onwer_id and onwer_type
    @platform.owner = @admin_id.blank? ? get_owner : User.find(@admin_id)
@ -47,6 +49,7 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def update
+    authorize @platform
    @admin_id = params[:admin_id]
    @admin_uname = params[:admin_uname]

@ -54,7 +57,6 @@ class Platforms::PlatformsController < Platforms::BaseController
    platform_params = platform_params.slice(:description, :platform_arch_settings_attributes, :released, :automatic_metadata_regeneration, :default_branch)
    platform_params[:owner] = User.find(@admin_id) if @admin_id.present?

-
    respond_to do |format|
      format.html do
        if @platform.update_attributes(platform_params)
@ -76,6 +78,7 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def regenerate_metadata
+    authorize @platform
    if @platform.regenerate
      flash[:notice] = I18n.t('flash.platform.saved')
    else
@ -85,6 +88,7 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def change_visibility
+    authorize @platform
    if @platform.change_visibility
      flash[:notice] = I18n.t("flash.platform.saved")
      redirect_to @platform
@ -96,12 +100,14 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def clone
+    authorize @platform
    @cloned = Platform.new
    @cloned.name = @platform.name + "_clone"
    @cloned.description = @platform.description + "_clone"
  end

  def make_clone
+    authorize @platform
    @cloned = @platform.full_clone params[:platform].merge(owner: current_user)
    if @cloned.persisted?
      flash[:notice] = I18n.t("flash.platform.clone_success")
@ -113,16 +119,19 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def destroy
+    authorize @platform
    @platform.destroy # later with resque
    flash[:notice] = t("flash.platform.destroyed")
    redirect_to platforms_path
  end

  def members
+    authorize @platform
    @members = @platform.members.order(:uname)
  end

  def remove_members
+    authorize @platform
    User.where(id: params[:members]).each do |user|
      @platform.remove_member(user)
    end
@ -130,7 +139,8 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def add_member
-    member = User.where(id: params[:member_id]).first
+    authorize @platform
+    member = User.find_by(id: params[:member_id])
    if !member
      flash[:error] = t("flash.collaborators.wrong_user", uname: params[:member_id])
    elsif @platform.add_member(member)
@ -142,13 +152,22 @@ class Platforms::PlatformsController < Platforms::BaseController
  end

  def advisories
+    authorize @platform
    @advisories = @platform.advisories.paginate(page: params[:page])
  end

  def clear
+    authorize @platform
    @platform.clear
    flash[:notice] = t('flash.repository.clear')
    redirect_to edit_platform_path(@platform)
  end

+  private
+
+  # Private: before_action hook which loads Platform.
+  def load_platform
+    authorize @platform = Platform.find_cached(params[:id]), :show? if params[:id]
+  end
+
 end
--- a/app/controllers/platforms/repositories_controller.rb
+++ b/app/controllers/platforms/repositories_controller.rb
@ -7,8 +7,6 @@ class Platforms::RepositoriesController < Platforms::BaseController
  before_action :authenticate_user!
  skip_before_action :authenticate_user!, only: [:index, :show, :projects_list] if APP_CONFIG['anonymous_access']

-  # load_and_authorize_resource :platform
-  # load_and_authorize_resource :repository, through: :platform, shallow: true
  before_action :set_members, only: [:edit, :update]
  before_action :load_repository
  before_action -> { @repository = @platform.repositories.find(params[:id]) if params[:id] }
@ -23,9 +21,11 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def edit
+    authorize @repository
  end

  def update
+    authorize @repository
    if @repository.update_attributes params[:repository].slice(:description, :synchronizing_publications, :publish_builds_only_from_branch).merge(publish_without_qa: (params[:repository][:publish_without_qa] || @repository.publish_without_qa))
      flash[:notice] = I18n.t("flash.repository.updated")
      redirect_to platform_repository_path(@platform, @repository)
@ -37,14 +37,16 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def remove_members
-    User.where(id: params[:members]).each do |user|
+    authorize @repository
+    User.where(id: params[:members]).find_each do |user|
      @repository.remove_member(user)
    end
    redirect_to edit_platform_repository_path(@platform, @repository)
  end

  def add_member
-    if member = User.where(id: params[:member_id]).first
+    authorize @repository
+    if member = User.find_by(id: params[:member_id])
      if @repository.add_member(member)
        flash[:notice] = t('flash.repository.members.successfully_added', name: member.uname)
      else
@ -55,11 +57,12 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def new
-    @repository = Repository.new
+    authorize @repository = @platform.repositories.new
    @platform_id = params[:platform_id]
  end

  def destroy
+    authorize @repository
    @repository.destroy

    flash[:notice] = t("flash.repository.destroyed")
@ -67,7 +70,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def create
-    @repository = @platform.repositories.build(params[:repository])
+    authorize @repository = @platform.repositories.build(params[:repository])
    if @repository.save
      flash[:notice] = t('flash.repository.saved')
      redirect_to platform_repository_path(@platform, @repository)
@ -78,6 +81,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def add_project
+    authorize @repository
    if projects_list = params.try(:[], :repository).try(:[], :projects_list)
      @repository.add_projects projects_list, current_user
      redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_added')
@ -102,6 +106,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def projects_list
+    authorize @repository
    render(text: @repository.projects.map(&:name).join("\n")) && return if params[:text] == 'true'

    owner_subquery = "
@ -137,6 +142,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def remove_project
+    authorize @repository
    if projects_list = params.try(:[], :repository).try(:[], :projects_list)
      @repository.remove_projects projects_list
      redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_removed')
@ -152,6 +158,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def regenerate_metadata
+    authorize @repository
    if @repository.regenerate(params[:repository].try :[], :build_for_platform_id)
      flash[:notice] = t('flash.repository.regenerate_in_queue')
    else
@ -161,6 +168,7 @@ class Platforms::RepositoriesController < Platforms::BaseController
  end

  def sync_lock_file
+    authorize @repository
    if params[:remove]
      @repository.remove_sync_lock_file
      flash[:notice] = t('flash.repository.sync_lock_file_removed')
@ -171,10 +179,11 @@ class Platforms::RepositoriesController < Platforms::BaseController
    redirect_to edit_platform_repository_path(@platform, @repository)
  end

-protected
+  protected

+  # Private: before_action hook which loads Repository.
  def load_repository
-    @repository = @platform.repositories.find(params[:id]) if params[:id]
+    authorize @repository = @platform.repositories.find(params[:id]), :show? if params[:id]
  end

  def set_members
--- a/app/policies/platform_policy.rb
+++ b/app/policies/platform_policy.rb
@ -1,7 +1,7 @@
 class PlatformPolicy < ApplicationPolicy

  def index?
-    true
+    !user.guest?
  end

  def show?