pull request添加权限控制

2016-11-25 20:13:37 +08:00 · 2016-11-25 20:13:37 +08:00 · 8318bced7f
parent c965f72ce3
commit 8318bced7f
1 changed files with 18 additions and 2 deletions
--- a/app/controllers/pull_requests_controller.rb
+++ b/app/controllers/pull_requests_controller.rb
@ -3,8 +3,9 @@
 class PullRequestsController < ApplicationController
  before_filter :authorize_logged
  before_filter :find_project_and_repository
-  before_filter :connect_gitlab, :only => [:index, :show, :create, :accept_pull_request, :pull_request_commits, :pull_request_changes, :new,
-                                              :update_pull_request, :pull_request_comments, :create_pull_request_comment, :compare_pull_request]
+  before_filter :connect_gitlab, :only => [:index, :show, :create, :accept_pull_request, :pull_request_commits, :pull_request_changes, :new,                                              :update_pull_request, :pull_request_comments, :create_pull_request_comment, :compare_pull_request]
+  before_filter :member_allowed, :only => [:new, :create]
+  before_filter :manager_allowed, :only => [:accept_pull_request]

  layout "base_projects"
  include PullRequestsHelper
@ -287,6 +288,21 @@ class PullRequestsController < ApplicationController
  end

  private
+  # post 相关操作权限控制
+  # 项目管理员可操作
+  def manager_allowed
+    unless is_project_manager?(User.current.id, @project.id)
+      return render_403
+    end
+  end
+
+  # 项目成员可操作
+  def member_allowed
+    unless User.current.member_of?(@project)
+      return render_403
+    end
+  end
+
  def authorize_logged
    if !User.current.logged?
      redirect_to signin_path