Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
4f07c0a1
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
4f07c0a1
编写于
3月 25, 2016
作者:
R
Rémy Coutable
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Ensure project snippets have their own access level
上级
f4bdefdf
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
266 addition
and
16 deletion
+266
-16
app/controllers/projects/snippets_controller.rb
app/controllers/projects/snippets_controller.rb
+1
-1
app/models/ability.rb
app/models/ability.rb
+31
-15
spec/features/security/project/snippet/internal_access_spec.rb
...features/security/project/snippet/internal_access_spec.rb
+78
-0
spec/features/security/project/snippet/private_access_spec.rb
.../features/security/project/snippet/private_access_spec.rb
+63
-0
spec/features/security/project/snippet/public_access_spec.rb
spec/features/security/project/snippet/public_access_spec.rb
+93
-0
未找到文件。
app/controllers/projects/snippets_controller.rb
浏览文件 @
4f07c0a1
...
...
@@ -3,7 +3,7 @@ class Projects::SnippetsController < Projects::ApplicationController
before_action
:snippet
,
only:
[
:show
,
:edit
,
:destroy
,
:update
,
:raw
]
# Allow read any snippet
before_action
:authorize_read_project_snippet!
,
except:
[
:index
]
before_action
:authorize_read_project_snippet!
,
except:
[
:
new
,
:create
,
:
index
]
# Allow write(create) snippet
before_action
:authorize_create_project_snippet!
,
only:
[
:new
,
:create
]
...
...
app/models/ability.rb
浏览文件 @
4f07c0a1
...
...
@@ -348,24 +348,22 @@ class Ability
end
end
[
:note
,
:project_snippet
].
each
do
|
name
|
define_method
"
#{
name
}
_abilities"
do
|
user
,
subject
|
rules
=
[]
if
subject
.
author
==
user
rules
+=
[
:"read_
#{
name
}
"
,
:"update_
#{
name
}
"
,
:"admin_
#{
name
}
"
]
end
def
note_abilities
(
user
,
note
)
rules
=
[]
if
subject
.
respond_to?
(
:project
)
&&
subject
.
project
rules
+=
project_abilities
(
user
,
subject
.
project
)
end
if
note
.
author
==
user
rules
+=
[
:read_note
,
:update_note
,
:admin_note
]
end
rules
if
note
.
respond_to?
(
:project
)
&&
note
.
project
rules
+=
project_abilities
(
user
,
note
.
project
)
end
rules
end
def
personal_snippet_abilities
(
user
,
snippet
)
...
...
@@ -386,6 +384,24 @@ class Ability
rules
end
def
project_snippet_abilities
(
user
,
snippet
)
rules
=
[]
if
snippet
.
author
==
user
||
user
.
admin?
rules
+=
[
:read_project_snippet
,
:update_project_snippet
,
:admin_project_snippet
]
end
if
snippet
.
public?
||
(
snippet
.
internal?
&&
!
user
.
external?
)
||
(
snippet
.
private?
&&
snippet
.
project
.
team
.
member?
(
user
))
rules
<<
:read_project_snippet
end
rules
end
def
group_member_abilities
(
user
,
subject
)
rules
=
[]
target_user
=
subject
.
user
...
...
spec/features/security/project/snippet/internal_access_spec.rb
0 → 100644
浏览文件 @
4f07c0a1
require
'spec_helper'
describe
"Internal Project Snippets Access"
,
feature:
true
do
include
AccessMatchers
let
(
:project
)
{
create
(
:project
,
:internal
)
}
let
(
:owner
)
{
project
.
owner
}
let
(
:master
)
{
create
(
:user
)
}
let
(
:developer
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:internal_snippet
)
{
create
(
:project_snippet
,
:internal
,
project:
project
,
author:
owner
)
}
let
(
:private_snippet
)
{
create
(
:project_snippet
,
:private
,
project:
project
,
author:
owner
)
}
before
do
project
.
team
<<
[
master
,
:master
]
project
.
team
<<
[
developer
,
:developer
]
project
.
team
<<
[
reporter
,
:reporter
]
project
.
team
<<
[
guest
,
:guest
]
end
describe
"GET /:project_path/snippets"
do
subject
{
namespace_project_snippets_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_allowed_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/new"
do
subject
{
new_namespace_project_snippet_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_denied_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for an internal snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
internal_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_allowed_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for a private snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
private_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
end
spec/features/security/project/snippet/private_access_spec.rb
0 → 100644
浏览文件 @
4f07c0a1
require
'spec_helper'
describe
"Private Project Snippets Access"
,
feature:
true
do
include
AccessMatchers
let
(
:project
)
{
create
(
:project
,
:private
)
}
let
(
:owner
)
{
project
.
owner
}
let
(
:master
)
{
create
(
:user
)
}
let
(
:developer
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:private_snippet
)
{
create
(
:project_snippet
,
:private
,
project:
project
,
author:
owner
)
}
before
do
project
.
team
<<
[
master
,
:master
]
project
.
team
<<
[
developer
,
:developer
]
project
.
team
<<
[
reporter
,
:reporter
]
project
.
team
<<
[
guest
,
:guest
]
end
describe
"GET /:project_path/snippets"
do
subject
{
namespace_project_snippets_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/new"
do
subject
{
new_namespace_project_snippet_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_denied_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for a private snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
private_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
end
spec/features/security/project/snippet/public_access_spec.rb
0 → 100644
浏览文件 @
4f07c0a1
require
'spec_helper'
describe
"Public Project Snippets Access"
,
feature:
true
do
include
AccessMatchers
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:owner
)
{
project
.
owner
}
let
(
:master
)
{
create
(
:user
)
}
let
(
:developer
)
{
create
(
:user
)
}
let
(
:reporter
)
{
create
(
:user
)
}
let
(
:guest
)
{
create
(
:user
)
}
let
(
:public_snippet
)
{
create
(
:project_snippet
,
:public
,
project:
project
,
author:
owner
)
}
let
(
:internal_snippet
)
{
create
(
:project_snippet
,
:internal
,
project:
project
,
author:
owner
)
}
let
(
:private_snippet
)
{
create
(
:project_snippet
,
:private
,
project:
project
,
author:
owner
)
}
before
do
project
.
team
<<
[
master
,
:master
]
project
.
team
<<
[
developer
,
:developer
]
project
.
team
<<
[
reporter
,
:reporter
]
project
.
team
<<
[
guest
,
:guest
]
end
describe
"GET /:project_path/snippets"
do
subject
{
namespace_project_snippets_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_allowed_for
:user
}
it
{
is_expected
.
to
be_allowed_for
:external
}
it
{
is_expected
.
to
be_allowed_for
:visitor
}
end
describe
"GET /:project_path/snippets/new"
do
subject
{
new_namespace_project_snippet_path
(
project
.
namespace
,
project
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_denied_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for a public snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
public_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_allowed_for
:user
}
it
{
is_expected
.
to
be_allowed_for
:external
}
it
{
is_expected
.
to
be_allowed_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for an internal snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
internal_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_allowed_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
describe
"GET /:project_path/snippets/:id for a private snippet"
do
subject
{
namespace_project_snippet_path
(
project
.
namespace
,
project
,
private_snippet
)
}
it
{
is_expected
.
to
be_allowed_for
:admin
}
it
{
is_expected
.
to
be_allowed_for
owner
}
it
{
is_expected
.
to
be_allowed_for
master
}
it
{
is_expected
.
to
be_allowed_for
developer
}
it
{
is_expected
.
to
be_allowed_for
reporter
}
it
{
is_expected
.
to
be_allowed_for
guest
}
it
{
is_expected
.
to
be_denied_for
:user
}
it
{
is_expected
.
to
be_denied_for
:external
}
it
{
is_expected
.
to
be_denied_for
:visitor
}
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录