From a69b03b88cd7f21dcd1139ff5c8142a587ff2ed9 Mon Sep 17 00:00:00 2001 From: Vokhmin Alexey V Date: Fri, 20 Mar 2015 02:45:15 +0300 Subject: [PATCH] #465: wip --- .../platforms/platforms_controller.rb | 29 +++++++++++++++---- .../platforms/repositories_controller.rb | 25 +++++++++++----- app/policies/platform_policy.rb | 2 +- 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/app/controllers/platforms/platforms_controller.rb b/app/controllers/platforms/platforms_controller.rb index 93925dba7..0404292e0 100644 --- a/app/controllers/platforms/platforms_controller.rb +++ b/app/controllers/platforms/platforms_controller.rb @@ -5,6 +5,7 @@ class Platforms::PlatformsController < Platforms::BaseController skip_before_action :authenticate_user!, only: [:advisories, :members, :show] if APP_CONFIG['anonymous_access'] def index + authorize :platform respond_to do |format| format.html {} @@ -17,22 +18,23 @@ class Platforms::PlatformsController < Platforms::BaseController end def show - authorize @platform = Platform.find_cached(params[:id]) end def new + authorize @platform = Platform.new @admin_uname = current_user.uname @admin_id = current_user.id - @platform = Platform.new end def edit + authorize @platform @admin_id = @platform.owner.id @admin_uname = @platform.owner.uname end def create - @admin_id = params[:admin_id] + authorize @platform = Platform.new(params[:platform]) + @admin_id = params[:admin_id] @admin_uname = params[:admin_uname] # FIXME: do not allow manipulate owner model, only platforms onwer_id and onwer_type @platform.owner = @admin_id.blank? ? get_owner : User.find(@admin_id) @@ -47,6 +49,7 @@ class Platforms::PlatformsController < Platforms::BaseController end def update + authorize @platform @admin_id = params[:admin_id] @admin_uname = params[:admin_uname] @@ -54,7 +57,6 @@ class Platforms::PlatformsController < Platforms::BaseController platform_params = platform_params.slice(:description, :platform_arch_settings_attributes, :released, :automatic_metadata_regeneration, :default_branch) platform_params[:owner] = User.find(@admin_id) if @admin_id.present? - respond_to do |format| format.html do if @platform.update_attributes(platform_params) @@ -76,6 +78,7 @@ class Platforms::PlatformsController < Platforms::BaseController end def regenerate_metadata + authorize @platform if @platform.regenerate flash[:notice] = I18n.t('flash.platform.saved') else @@ -85,6 +88,7 @@ class Platforms::PlatformsController < Platforms::BaseController end def change_visibility + authorize @platform if @platform.change_visibility flash[:notice] = I18n.t("flash.platform.saved") redirect_to @platform @@ -96,12 +100,14 @@ class Platforms::PlatformsController < Platforms::BaseController end def clone + authorize @platform @cloned = Platform.new @cloned.name = @platform.name + "_clone" @cloned.description = @platform.description + "_clone" end def make_clone + authorize @platform @cloned = @platform.full_clone params[:platform].merge(owner: current_user) if @cloned.persisted? flash[:notice] = I18n.t("flash.platform.clone_success") @@ -113,16 +119,19 @@ class Platforms::PlatformsController < Platforms::BaseController end def destroy + authorize @platform @platform.destroy # later with resque flash[:notice] = t("flash.platform.destroyed") redirect_to platforms_path end def members + authorize @platform @members = @platform.members.order(:uname) end def remove_members + authorize @platform User.where(id: params[:members]).each do |user| @platform.remove_member(user) end @@ -130,7 +139,8 @@ class Platforms::PlatformsController < Platforms::BaseController end def add_member - member = User.where(id: params[:member_id]).first + authorize @platform + member = User.find_by(id: params[:member_id]) if !member flash[:error] = t("flash.collaborators.wrong_user", uname: params[:member_id]) elsif @platform.add_member(member) @@ -142,13 +152,22 @@ class Platforms::PlatformsController < Platforms::BaseController end def advisories + authorize @platform @advisories = @platform.advisories.paginate(page: params[:page]) end def clear + authorize @platform @platform.clear flash[:notice] = t('flash.repository.clear') redirect_to edit_platform_path(@platform) end + private + + # Private: before_action hook which loads Platform. + def load_platform + authorize @platform = Platform.find_cached(params[:id]), :show? if params[:id] + end + end diff --git a/app/controllers/platforms/repositories_controller.rb b/app/controllers/platforms/repositories_controller.rb index 637d35798..faf5b707b 100644 --- a/app/controllers/platforms/repositories_controller.rb +++ b/app/controllers/platforms/repositories_controller.rb @@ -7,8 +7,6 @@ class Platforms::RepositoriesController < Platforms::BaseController before_action :authenticate_user! skip_before_action :authenticate_user!, only: [:index, :show, :projects_list] if APP_CONFIG['anonymous_access'] - # load_and_authorize_resource :platform - # load_and_authorize_resource :repository, through: :platform, shallow: true before_action :set_members, only: [:edit, :update] before_action :load_repository before_action -> { @repository = @platform.repositories.find(params[:id]) if params[:id] } @@ -23,9 +21,11 @@ class Platforms::RepositoriesController < Platforms::BaseController end def edit + authorize @repository end def update + authorize @repository if @repository.update_attributes params[:repository].slice(:description, :synchronizing_publications, :publish_builds_only_from_branch).merge(publish_without_qa: (params[:repository][:publish_without_qa] || @repository.publish_without_qa)) flash[:notice] = I18n.t("flash.repository.updated") redirect_to platform_repository_path(@platform, @repository) @@ -37,14 +37,16 @@ class Platforms::RepositoriesController < Platforms::BaseController end def remove_members - User.where(id: params[:members]).each do |user| + authorize @repository + User.where(id: params[:members]).find_each do |user| @repository.remove_member(user) end redirect_to edit_platform_repository_path(@platform, @repository) end def add_member - if member = User.where(id: params[:member_id]).first + authorize @repository + if member = User.find_by(id: params[:member_id]) if @repository.add_member(member) flash[:notice] = t('flash.repository.members.successfully_added', name: member.uname) else @@ -55,11 +57,12 @@ class Platforms::RepositoriesController < Platforms::BaseController end def new - @repository = Repository.new + authorize @repository = @platform.repositories.new @platform_id = params[:platform_id] end def destroy + authorize @repository @repository.destroy flash[:notice] = t("flash.repository.destroyed") @@ -67,7 +70,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def create - @repository = @platform.repositories.build(params[:repository]) + authorize @repository = @platform.repositories.build(params[:repository]) if @repository.save flash[:notice] = t('flash.repository.saved') redirect_to platform_repository_path(@platform, @repository) @@ -78,6 +81,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def add_project + authorize @repository if projects_list = params.try(:[], :repository).try(:[], :projects_list) @repository.add_projects projects_list, current_user redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_added') @@ -102,6 +106,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def projects_list + authorize @repository render(text: @repository.projects.map(&:name).join("\n")) && return if params[:text] == 'true' owner_subquery = " @@ -137,6 +142,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def remove_project + authorize @repository if projects_list = params.try(:[], :repository).try(:[], :projects_list) @repository.remove_projects projects_list redirect_to platform_repository_path(@platform, @repository), notice: t('flash.repository.projects_will_be_removed') @@ -152,6 +158,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def regenerate_metadata + authorize @repository if @repository.regenerate(params[:repository].try :[], :build_for_platform_id) flash[:notice] = t('flash.repository.regenerate_in_queue') else @@ -161,6 +168,7 @@ class Platforms::RepositoriesController < Platforms::BaseController end def sync_lock_file + authorize @repository if params[:remove] @repository.remove_sync_lock_file flash[:notice] = t('flash.repository.sync_lock_file_removed') @@ -171,10 +179,11 @@ class Platforms::RepositoriesController < Platforms::BaseController redirect_to edit_platform_repository_path(@platform, @repository) end -protected + protected + # Private: before_action hook which loads Repository. def load_repository - @repository = @platform.repositories.find(params[:id]) if params[:id] + authorize @repository = @platform.repositories.find(params[:id]), :show? if params[:id] end def set_members diff --git a/app/policies/platform_policy.rb b/app/policies/platform_policy.rb index c84a61beb..9843d7626 100644 --- a/app/policies/platform_policy.rb +++ b/app/policies/platform_policy.rb @@ -1,7 +1,7 @@ class PlatformPolicy < ApplicationPolicy def index? - true + !user.guest? end def show?