diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 962500fa70..c1ee11053d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -288,7 +288,8 @@ class ApplicationController < ActionController::Base # Authorize the user for the requested action def authorize(ctrl = params[:controller], action = params[:action], global = false) - is_authorized = AuthorizationService.new(ctrl, action, @project, @projects, global).perform + context = @project || @projects + is_authorized = AuthorizationService.new(ctrl, action, context: context, global: global).call unless is_authorized if @project && @project.archived? diff --git a/app/services/authorization_service.rb b/app/services/authorization_service.rb index 8001c65c19..5e9c34d9dd 100644 --- a/app/services/authorization_service.rb +++ b/app/services/authorization_service.rb @@ -27,22 +27,26 @@ # See doc/COPYRIGHT.rdoc for more details. #++ +# project, projects, global, user = nil + class AuthorizationService - def initialize(ctrl, action, project, projects, global, user = nil) + # @params + # ctrl - controller + # action - action + # @named params + # context - single project or array of projects - default nil + # global - global - default false + # user - user - default current user + def initialize(ctrl, action, context: nil , global: false, user: User.current) @ctrl = ctrl @action = action - @project = project - @projects = projects + @context = context @global = global - @user = user || User.current + @user = user end - def perform - allowed = @user.allowed_to?({:controller => @ctrl, :action => @action}, @project || @projects, :global => @global) - if allowed - true - else - false - end + def call + @user.allowed_to?({:controller => @ctrl, :action => @action}, @context, :global => @global) end end + diff --git a/lib/api/root.rb b/lib/api/root.rb index dd74cc478d..8d36ff9595 100644 --- a/lib/api/root.rb +++ b/lib/api/root.rb @@ -48,13 +48,9 @@ module API raise API::Errors::Unauthenticated.new if current_user.nil? || current_user.anonymous? end - def authorize(api, endpoint, options) - unless options[:allow].nil? - raise API::Errors::Unauthorized.new(current_user) unless options[:allow] - end - is_authorized = AuthorizationService.new(api, endpoint, options[:project], options[:projects], - !!options[:global], current_user).perform - raise API::Errors::Unauthorized.new(current_user) unless is_authorized + def authorize(api, endpoint, context: nil, global: false, user: current_user, allow: true) + is_authorized = AuthorizationService.new(api, endpoint, context: context, global: global, user: user).call + raise API::Errors::Unauthorized.new(current_user) unless is_authorized && allow is_authorized end end diff --git a/lib/api/v3/queries/queries_api.rb b/lib/api/v3/queries/queries_api.rb index 898c3012b5..4a02fa9c13 100644 --- a/lib/api/v3/queries/queries_api.rb +++ b/lib/api/v3/queries/queries_api.rb @@ -25,7 +25,7 @@ module API end patch :star do - authorize(:queries, :star, project: @query.project, allow: allowed_to_manage_stars?) + authorize(:queries, :star, context: @query.project, allow: allowed_to_manage_stars?) normalized_query_name = @query.name.parameterize.underscore query_menu_item = MenuItems::QueryMenuItem.find_or_initialize_by_name_and_navigatable_id( normalized_query_name, @query.id, title: @query.name @@ -35,7 +35,7 @@ module API end patch :unstar do - authorize(:queries, :unstar, project: @query.project, allow: allowed_to_manage_stars?) + authorize(:queries, :unstar, context: @query.project, allow: allowed_to_manage_stars?) query_menu_item = @query.query_menu_item return @representer.to_json if @query.query_menu_item.nil? query_menu_item.destroy diff --git a/lib/api/v3/work_packages/work_packages_api.rb b/lib/api/v3/work_packages/work_packages_api.rb index 95836be639..c2d1a0f5eb 100644 --- a/lib/api/v3/work_packages/work_packages_api.rb +++ b/lib/api/v3/work_packages/work_packages_api.rb @@ -17,7 +17,7 @@ module API end get do - authorize(:work_packages_api, :get, project: @work_package.project) + authorize(:work_packages_api, :get, context: @work_package.project) @representer.to_json end