diff options
author | Alex Legler <alex@a3li.li> | 2010-09-16 15:03:54 +0200 |
---|---|---|
committer | Alex Legler <alex@a3li.li> | 2010-09-16 15:04:03 +0200 |
commit | b1a5e55ca78fe024da0fa828b5df3db62ec22a7f (patch) | |
tree | 3e4da81592c29d97ca11871b502d0717d6f0d5b2 | |
parent | Properly implement the list pages (diff) | |
download | glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.gz glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.bz2 glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.zip |
Implement the Authorization system in GLSA:edit
-rw-r--r-- | app/controllers/application_controller.rb | 6 | ||||
-rw-r--r-- | app/controllers/glsa_controller.rb | 30 | ||||
-rw-r--r-- | app/controllers/index_controller.rb | 2 | ||||
-rw-r--r-- | app/helpers/glsa_helper.rb | 9 | ||||
-rw-r--r-- | app/models/glsa.rb | 14 | ||||
-rw-r--r-- | app/models/user.rb | 8 | ||||
-rw-r--r-- | app/views/glsa/_glsa_row.html.erb | 11 | ||||
-rw-r--r-- | app/views/glsa/_status_legend.html.erb | 5 | ||||
-rw-r--r-- | app/views/glsa/edit.html.erb | 1 | ||||
-rw-r--r-- | app/views/index/error-access.html.erb | 7 | ||||
-rw-r--r-- | app/views/index/error-disabled.html.erb | 4 | ||||
-rw-r--r-- | app/views/index/error-system.html.erb | 2 | ||||
-rw-r--r-- | app/views/index/error-user.html.erb | 2 | ||||
-rwxr-xr-x | public/images/icons/confidential.png | bin | 0 -> 778 bytes | |||
-rwxr-xr-x | public/images/icons/public.png | bin | 0 -> 687 bytes | |||
-rw-r--r-- | public/stylesheets/screen.css | 4 |
16 files changed, 87 insertions, 18 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1d1438b..153168c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -20,4 +20,10 @@ class ApplicationController < ActionController::Base # filter_parameter_logging :password include Authentication + + protected + def deny_access(msg) + logger.warn "[#{Time.now.rfc2822}] UNAUTHORIZED ACCESS by #{current_user.login} from #{request.remote_ip}: #{msg}" + redirect_to :controller => 'index', :action => 'error', :type => 'access' + end end diff --git a/app/controllers/glsa_controller.rb b/app/controllers/glsa_controller.rb index 72b499c..f3f9d9c 100644 --- a/app/controllers/glsa_controller.rb +++ b/app/controllers/glsa_controller.rb @@ -12,6 +12,7 @@ # GLSA controller class GlsaController < ApplicationController before_filter :login_required + before_filter :check_access_level, :except => [:new, :create] def requests @glsas = Glsa.find(:all, :conditions => "status = 'request'", :order => "updated_at DESC") @@ -57,6 +58,7 @@ class GlsaController < ApplicationController def show @glsa = Glsa.find(params[:id]) + return unless check_object_access(@glsa) @rev = params[:rev_id].nil? ? @glsa.last_revision : @glsa.revisions.find_by_revid(params[:rev_id]) #flash.now[:error] = "[debug] id = %d, rev_id = %d" % [ params[:id], params[:rev_id] || -1 ] @@ -71,6 +73,7 @@ class GlsaController < ApplicationController def edit @glsa = Glsa.find(params[:id]) + return unless check_object_access(@glsa) @rev = @glsa.last_revision # Reset added or removed bugs in the meantime @@ -92,6 +95,7 @@ class GlsaController < ApplicationController def update @glsa = Glsa.find(params[:id]) + return unless check_object_access(@glsa) @rev = @glsa.last_revision if @glsa.nil? @@ -297,5 +301,27 @@ class GlsaController < ApplicationController render :text => "fail", :status => 500 end end - -end + + protected + def check_access_level + + end + + def check_object_access(glsa) + # Contributor, no foreign drafts + if current_user.access == 0 + unless glsa.is_owner? current_user + deny_access "Access to GLSA #{glsa.id} (#{params[:action]})" + return false + end + elsif current_user.access == 1 + if glsa.restricted + deny_access "Access to restricted GLSA #{glsa.id} (#{params[:action]})" + return false + end + end + + return true + end + +end
\ No newline at end of file diff --git a/app/controllers/index_controller.rb b/app/controllers/index_controller.rb index 21c1715..3cbeec4 100644 --- a/app/controllers/index_controller.rb +++ b/app/controllers/index_controller.rb @@ -21,6 +21,8 @@ class IndexController < ApplicationController render :template => 'index/error-user', :layout => 'notice' elsif params[:type] == "disabled" render :template => 'index/error-disabled', :layout => 'notice' + elsif params[:type] == "access" + render :template => 'index/error-access', :layout => 'notice' else render :template => 'index/error-system', :layout => 'notice' end diff --git a/app/helpers/glsa_helper.rb b/app/helpers/glsa_helper.rb index b948160..250b40f 100644 --- a/app/helpers/glsa_helper.rb +++ b/app/helpers/glsa_helper.rb @@ -119,6 +119,13 @@ module GlsaHelper image_tag "icons/not-approved.png", :title => "Please comment and/or approve." end end - + + def restricted_icon(status) + if status + image_tag "icons/confidential.png", :title => "This item is CONFIDENTIAL." + else + image_tag "icons/public.png", :title => "This item is public." + end + end end diff --git a/app/models/glsa.rb b/app/models/glsa.rb index 676a2ae..0d0b266 100644 --- a/app/models/glsa.rb +++ b/app/models/glsa.rb @@ -20,7 +20,7 @@ class Glsa < ActiveRecord::Base has_many :revisions has_many :comments - + # Returns the last revision object, referring to the current state of things def last_revision @last_revision ||= self.revisions.find(:first, :order => "revid DESC") @@ -68,13 +68,18 @@ class Glsa < ActiveRecord::Base end return :none end + + # Returns true if user is the owner of this GLSA. + def is_owner?(user) + luser = (status == "request" ? requester : submitter) + + luser == user + end # Returns the workflow status of this GLSA for a given user. # Return values: :own (own draft), :approved (approval given), :commented (comment or rejection given) def workflow_status(user) - luser = (status == "request" ? requester : submitter) - - if luser == user + if is_owner?(user) return :own end @@ -94,7 +99,6 @@ class Glsa < ActiveRecord::Base comments.find(:all, :conditions => ['`read` = ?', false]).count > 0 end - # Files a new GLSA request def self.new_request(title, bugs, comment, access, user) glsa = Glsa.new diff --git a/app/models/user.rb b/app/models/user.rb index 84b78d7..a2693a7 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -35,4 +35,12 @@ class User < ActiveRecord::Base def is_el_jefe? self.jefe end + + # Checks access to a given GLSA + def can_access?(glsa) + return false if access == 0 and not glsa.is_owner? self + return false if access < 3 and glsa.restricted + + true + end end diff --git a/app/views/glsa/_glsa_row.html.erb b/app/views/glsa/_glsa_row.html.erb index a415f1f..1f461e1 100644 --- a/app/views/glsa/_glsa_row.html.erb +++ b/app/views/glsa/_glsa_row.html.erb @@ -1,10 +1,14 @@ -<tr class="<%= cycle 'even', 'odd' %>"> - <td><strong><tt><%= h glsa.glsa_id %></tt></strong></td> +<% if current_user.can_access? glsa %> +<tr class="<%= 'restricted' if glsa.restricted %> <%= cycle 'even', 'odd' %>"> <td> <%= status_icon glsa.status %> + <strong><tt><%= h glsa.glsa_id %></tt></strong> + </td> + <td> <%= bugready_icon false %> <%= approval_icon glsa.approval_status %> <%= workflow_icon(glsa.workflow_status(current_user)) %> + <%= restricted_icon glsa.restricted %> </td> <% if view == :requests %> <td><strong><%= link_to(h(glsa.last_revision.title), {:action => 'edit', :id => glsa}, {:title => "Draft this GLSA"}) %></strong></td> @@ -23,4 +27,5 @@ <%= image_tag 'icons/delete.png' %> </td> <% end %> -</tr>
\ No newline at end of file +</tr> +<% end %>
\ No newline at end of file diff --git a/app/views/glsa/_status_legend.html.erb b/app/views/glsa/_status_legend.html.erb index 3fc138f..4fde671 100644 --- a/app/views/glsa/_status_legend.html.erb +++ b/app/views/glsa/_status_legend.html.erb @@ -1,7 +1,8 @@ -<div class="legend"> - <strong>Legend:</strong><br /> +<div class="legend box"> + <h2>Legend</h2> <strong>Status:</strong> Request: <%= status_icon "request" %>; Draft: <%= status_icon "draft" %>; Sent GLSA: <%= status_icon "sent" %> <strong>Bugs:</strong> ready: <%= bugready_icon true %>; not ready: <%= bugready_icon false %> <strong>Approval:</strong> approved: <%= approval_icon :approved %>; comments pending: <%= approval_icon :comments_pending %>; commented: <%= approval_icon :commented %>; none: <%= approval_icon :none %> <strong>Workflow:</strong> own GLSA: <%= workflow_icon :own %>; TODO: <%= workflow_icon :todo %>; commented: <%= workflow_icon :commented %>; approved: <%= workflow_icon :approved %> + <strong>Embargo:</strong> public: <%= restricted_icon false %>; confidential: <%= restricted_icon true %> and <span class="red">red</span> text </div>
\ No newline at end of file diff --git a/app/views/glsa/edit.html.erb b/app/views/glsa/edit.html.erb index e8ca253..224e864 100644 --- a/app/views/glsa/edit.html.erb +++ b/app/views/glsa/edit.html.erb @@ -57,7 +57,6 @@ <p><label for="keyword"><img src="/images/icons/keyword.png" alt="keyword" /> GLSA Keyword:</label> <%= text_field_tag "glsa[product]", @rev.product, :class => "nice" %></p> - </div> <div class="box"> diff --git a/app/views/index/error-access.html.erb b/app/views/index/error-access.html.erb new file mode 100644 index 0000000..1cab0c2 --- /dev/null +++ b/app/views/index/error-access.html.erb @@ -0,0 +1,7 @@ +<h1>Access Denied</h1> + +<p><strong>You do not have sufficient permissions to perform this action.</strong></p> +<p>The administrator has been notified.</p> +<br /><br /><br /> +<p>You can get in touch with the administrative contact at +<em><%= h GLSAMAKER_ADMIN_EMAIL %></em></p>
\ No newline at end of file diff --git a/app/views/index/error-disabled.html.erb b/app/views/index/error-disabled.html.erb index 87fa1a4..a8765c2 100644 --- a/app/views/index/error-disabled.html.erb +++ b/app/views/index/error-disabled.html.erb @@ -1,5 +1,5 @@ -<h1>Welcome to GLSAMaker!</h1> +<h1>Access Denied</h1> <p><strong>Your account has been disabled.</strong></p> -<p>You can get in touch with the administrative contact using +<p>You can get in touch with the administrative contact at <em><%= h GLSAMAKER_ADMIN_EMAIL %></em></p> diff --git a/app/views/index/error-system.html.erb b/app/views/index/error-system.html.erb index f954035..2cc1e82 100644 --- a/app/views/index/error-system.html.erb +++ b/app/views/index/error-system.html.erb @@ -5,4 +5,4 @@ In this environment, GLSAMaker receives the name of the logged in user via the REMOTE_USER or HTTP_AUTHORIZATION variables which <strong>both are empty.</strong></small></p> <p>Please get in touch with the administrative contact -(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p> +(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
\ No newline at end of file diff --git a/app/views/index/error-user.html.erb b/app/views/index/error-user.html.erb index 793cf15..5830f4e 100644 --- a/app/views/index/error-user.html.erb +++ b/app/views/index/error-user.html.erb @@ -4,4 +4,4 @@ <p>While your user name and password were entered into the HTTP authentication database, your account was not yet populated to the internal GLSAMaker database.</p> <p>Either retry in a few minutes or get in touch with the administrative contact -(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p> +(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
\ No newline at end of file diff --git a/public/images/icons/confidential.png b/public/images/icons/confidential.png Binary files differnew file mode 100755 index 0000000..ec71aec --- /dev/null +++ b/public/images/icons/confidential.png diff --git a/public/images/icons/public.png b/public/images/icons/public.png Binary files differnew file mode 100755 index 0000000..1fff57c --- /dev/null +++ b/public/images/icons/public.png diff --git a/public/stylesheets/screen.css b/public/stylesheets/screen.css index 3ad0476..1615a1d 100644 --- a/public/stylesheets/screen.css +++ b/public/stylesheets/screen.css @@ -482,6 +482,10 @@ table.glsa-list th { padding: .5em; } +table.glsa-list tr.restricted, table.glsa-list tr.restricted a, .legend .red { + color: #a40000 !important; +} + table.glsa-list td { padding: .5em; padding-top: .4em; |