Implement the Authorization system in GLSA:edit

author: Alex Legler <alex@a3li.li> 2010-09-16 15:03:54 +0200
committer: Alex Legler <alex@a3li.li> 2010-09-16 15:04:03 +0200
commit: b1a5e55ca78fe024da0fa828b5df3db62ec22a7f (patch)
tree: 3e4da81592c29d97ca11871b502d0717d6f0d5b2
parent: Properly implement the list pages (diff)
download: glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.gz
glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.bz2
glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.zip
16 files changed, 87 insertions, 18 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1d1438b..153168c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,4 +20,10 @@ class ApplicationController < ActionController::Base
   # filter_parameter_logging :password
   
   include Authentication
+  
+  protected
+  def deny_access(msg)
+    logger.warn "[#{Time.now.rfc2822}] UNAUTHORIZED ACCESS by #{current_user.login} from #{request.remote_ip}: #{msg}"
+    redirect_to :controller => 'index', :action => 'error', :type => 'access'
+  end
 end
diff --git a/app/controllers/glsa_controller.rb b/app/controllers/glsa_controller.rb
index 72b499c..f3f9d9c 100644
--- a/app/controllers/glsa_controller.rb
+++ b/app/controllers/glsa_controller.rb
@@ -12,6 +12,7 @@
 # GLSA controller
 class GlsaController < ApplicationController
   before_filter :login_required
+  before_filter :check_access_level, :except => [:new, :create]
 
   def requests
     @glsas = Glsa.find(:all, :conditions => "status = 'request'", :order => "updated_at DESC")
@@ -57,6 +58,7 @@ class GlsaController < ApplicationController
 
   def show
     @glsa = Glsa.find(params[:id])
+    return unless check_object_access(@glsa)
     @rev = params[:rev_id].nil? ? @glsa.last_revision : @glsa.revisions.find_by_revid(params[:rev_id])
 
     #flash.now[:error] = "[debug] id = %d, rev_id = %d" % [ params[:id], params[:rev_id] || -1 ]
@@ -71,6 +73,7 @@ class GlsaController < ApplicationController
 
   def edit
     @glsa = Glsa.find(params[:id])
+    return unless check_object_access(@glsa)
     @rev = @glsa.last_revision
     
     # Reset added or removed bugs in the meantime
@@ -92,6 +95,7 @@ class GlsaController < ApplicationController
 
   def update
     @glsa = Glsa.find(params[:id])
+    return unless check_object_access(@glsa)   
     @rev = @glsa.last_revision
     
     if @glsa.nil?
@@ -297,5 +301,27 @@ class GlsaController < ApplicationController
       render :text => "fail", :status => 500
     end
   end
-
-end
+  
+  protected
+  def check_access_level
+    
+  end
+  
+  def check_object_access(glsa)
+    # Contributor, no foreign drafts
+    if current_user.access == 0
+      unless glsa.is_owner? current_user
+        deny_access "Access to GLSA #{glsa.id} (#{params[:action]})"
+        return false
+      end
+    elsif current_user.access == 1
+      if glsa.restricted
+        deny_access "Access to restricted GLSA #{glsa.id} (#{params[:action]})"
+        return false
+      end
+    end
+    
+    return true
+  end
+  
+end
+\ No newline at end of file
diff --git a/app/controllers/index_controller.rb b/app/controllers/index_controller.rb
index 21c1715..3cbeec4 100644
--- a/app/controllers/index_controller.rb
+++ b/app/controllers/index_controller.rb
@@ -21,6 +21,8 @@ class IndexController < ApplicationController
       render :template => 'index/error-user', :layout => 'notice'
     elsif params[:type] == "disabled"
       render :template => 'index/error-disabled', :layout => 'notice'
+    elsif params[:type] == "access"
+      render :template => 'index/error-access', :layout => 'notice'
     else
       render :template => 'index/error-system', :layout => 'notice'
     end
diff --git a/app/helpers/glsa_helper.rb b/app/helpers/glsa_helper.rb
index b948160..250b40f 100644
--- a/app/helpers/glsa_helper.rb
+++ b/app/helpers/glsa_helper.rb
@@ -119,6 +119,13 @@ module GlsaHelper
       image_tag "icons/not-approved.png", :title => "Please comment and/or approve."
     end
   end
-
+  
+  def restricted_icon(status)
+    if status
+      image_tag "icons/confidential.png", :title => "This item is CONFIDENTIAL."
+    else
+      image_tag "icons/public.png", :title => "This item is public."
+    end
+  end
 end
 
diff --git a/app/models/glsa.rb b/app/models/glsa.rb
index 676a2ae..0d0b266 100644
--- a/app/models/glsa.rb
+++ b/app/models/glsa.rb
@@ -20,7 +20,7 @@ class Glsa < ActiveRecord::Base
 
   has_many :revisions
   has_many :comments
-
+  
   # Returns the last revision object, referring to the current state of things
   def last_revision
     @last_revision ||= self.revisions.find(:first, :order => "revid DESC")
@@ -68,13 +68,18 @@ class Glsa < ActiveRecord::Base
     end
       return :none
   end
+
+  # Returns true if user is the owner of this GLSA.
+  def is_owner?(user)
+    luser = (status == "request" ? requester : submitter)
+        
+    luser == user
+  end
   
   # Returns the workflow status of this GLSA for a given user.
   # Return values: :own (own draft), :approved (approval given), :commented (comment or rejection given)
   def workflow_status(user)
-    luser = (status == "request" ? requester : submitter)
-        
-    if luser == user
+    if is_owner?(user)
       return :own
     end
     
@@ -94,7 +99,6 @@ class Glsa < ActiveRecord::Base
     comments.find(:all, :conditions => ['`read` = ?', false]).count > 0
   end
   
-  
   # Files a new GLSA request
   def self.new_request(title, bugs, comment, access, user)
     glsa = Glsa.new
diff --git a/app/models/user.rb b/app/models/user.rb
index 84b78d7..a2693a7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -35,4 +35,12 @@ class User < ActiveRecord::Base
   def is_el_jefe?
     self.jefe
   end
+  
+  # Checks access to a given GLSA
+  def can_access?(glsa)
+    return false if access == 0 and not glsa.is_owner? self
+    return false if access < 3 and glsa.restricted
+    
+    true
+  end
 end
diff --git a/app/views/glsa/_glsa_row.html.erb b/app/views/glsa/_glsa_row.html.erb
index a415f1f..1f461e1 100644
--- a/app/views/glsa/_glsa_row.html.erb
+++ b/app/views/glsa/_glsa_row.html.erb
@@ -1,10 +1,14 @@
-<tr class="<%= cycle 'even', 'odd' %>">
-  <td><strong><tt><%= h glsa.glsa_id %></tt></strong></td>
+<% if current_user.can_access? glsa %>
+<tr class="<%= 'restricted' if glsa.restricted %> <%= cycle 'even', 'odd' %>">
   <td>
     <%= status_icon glsa.status %>
+    <strong><tt><%= h glsa.glsa_id %></tt></strong>
+  </td>
+  <td>
     <%= bugready_icon false %>
     <%= approval_icon glsa.approval_status %>
     <%= workflow_icon(glsa.workflow_status(current_user)) %>
+    <%= restricted_icon glsa.restricted %>
   </td>
   <% if view == :requests %>
     <td><strong><%= link_to(h(glsa.last_revision.title), {:action => 'edit', :id => glsa}, {:title => "Draft this GLSA"}) %></strong></td>
@@ -23,4 +27,5 @@
     <%= image_tag 'icons/delete.png' %>
   </td>
   <% end %>
-</tr>
-\ No newline at end of file
+</tr>
+<% end %>
+\ No newline at end of file
diff --git a/app/views/glsa/_status_legend.html.erb b/app/views/glsa/_status_legend.html.erb
index 3fc138f..4fde671 100644
--- a/app/views/glsa/_status_legend.html.erb
+++ b/app/views/glsa/_status_legend.html.erb
@@ -1,7 +1,8 @@
-<div class="legend">
-  <strong>Legend:</strong><br />
+<div class="legend box">
+  <h2>Legend</h2>
   <strong>Status:</strong> Request: <%= status_icon "request" %>; Draft: <%= status_icon "draft" %>; Sent GLSA: <%= status_icon "sent" %>
   <strong>Bugs:</strong> ready: <%= bugready_icon true %>; not ready: <%= bugready_icon false %>
   <strong>Approval:</strong> approved: <%= approval_icon :approved %>; comments pending: <%= approval_icon :comments_pending %>; commented: <%= approval_icon :commented %>; none: <%= approval_icon :none %>
   <strong>Workflow:</strong> own GLSA: <%= workflow_icon :own %>; TODO: <%= workflow_icon :todo %>; commented: <%= workflow_icon :commented %>; approved: <%= workflow_icon :approved %>
+  <strong>Embargo:</strong> public: <%= restricted_icon false %>; confidential: <%= restricted_icon true %> and <span class="red">red</span> text
 </div>
 \ No newline at end of file
diff --git a/app/views/glsa/edit.html.erb b/app/views/glsa/edit.html.erb
index e8ca253..224e864 100644
--- a/app/views/glsa/edit.html.erb
+++ b/app/views/glsa/edit.html.erb
@@ -57,7 +57,6 @@
     <p><label for="keyword"><img src="/images/icons/keyword.png" alt="keyword" /> GLSA Keyword:</label>
      
       <%= text_field_tag "glsa[product]", @rev.product, :class => "nice" %></p>
-    
   </div>
 
   <div class="box">
diff --git a/app/views/index/error-access.html.erb b/app/views/index/error-access.html.erb
new file mode 100644
index 0000000..1cab0c2
--- /dev/null
+++ b/app/views/index/error-access.html.erb
@@ -0,0 +1,7 @@
+<h1>Access Denied</h1>
+
+<p><strong>You do not have sufficient permissions to perform this action.</strong></p>
+<p>The administrator has been notified.</p>
+<br /><br /><br />
+<p>You can get in touch with the administrative contact at
+<em><%= h GLSAMAKER_ADMIN_EMAIL %></em></p>
+\ No newline at end of file
diff --git a/app/views/index/error-disabled.html.erb b/app/views/index/error-disabled.html.erb
index 87fa1a4..a8765c2 100644
--- a/app/views/index/error-disabled.html.erb
+++ b/app/views/index/error-disabled.html.erb
@@ -1,5 +1,5 @@
-<h1>Welcome to GLSAMaker!</h1>
+<h1>Access Denied</h1>
 
 <p><strong>Your account has been disabled.</strong></p>
-<p>You can get in touch with the administrative contact using
+<p>You can get in touch with the administrative contact at
 <em><%= h GLSAMAKER_ADMIN_EMAIL %></em></p>
diff --git a/app/views/index/error-system.html.erb b/app/views/index/error-system.html.erb
index f954035..2cc1e82 100644
--- a/app/views/index/error-system.html.erb
+++ b/app/views/index/error-system.html.erb
@@ -5,4 +5,4 @@
 In this environment, GLSAMaker receives the name of the logged in user via the
 REMOTE_USER or HTTP_AUTHORIZATION variables which <strong>both are empty.</strong></small></p>
 <p>Please get in touch with the administrative contact 
-(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
+(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
+\ No newline at end of file
diff --git a/app/views/index/error-user.html.erb b/app/views/index/error-user.html.erb
index 793cf15..5830f4e 100644
--- a/app/views/index/error-user.html.erb
+++ b/app/views/index/error-user.html.erb
@@ -4,4 +4,4 @@
 <p>While your user name and password were entered into the HTTP authentication database,
 your account was not yet populated to the internal GLSAMaker database.</p>
 <p>Either retry in a few minutes or get in touch with the administrative contact 
-(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
+(<%= h GLSAMAKER_ADMIN_EMAIL %>) to fix this issue.</p>
+\ No newline at end of file
diff --git a/public/images/icons/confidential.png b/public/images/icons/confidential.png
new file mode 100755
index 0000000..ec71aec
--- /dev/null
+++ b/public/images/icons/confidential.png
diff --git a/public/images/icons/public.png b/public/images/icons/public.png
new file mode 100755
index 0000000..1fff57c
--- /dev/null
+++ b/public/images/icons/public.png
diff --git a/public/stylesheets/screen.css b/public/stylesheets/screen.css
index 3ad0476..1615a1d 100644
--- a/public/stylesheets/screen.css
+++ b/public/stylesheets/screen.css
@@ -482,6 +482,10 @@ table.glsa-list th {
   padding: .5em;
 }
 
+table.glsa-list tr.restricted, table.glsa-list tr.restricted a, .legend .red {
+  color: #a40000 !important;
+}
+
 table.glsa-list td {
   padding: .5em;
   padding-top: .4em;
author	Alex Legler <alex@a3li.li>	2010-09-16 15:03:54 +0200
committer	Alex Legler <alex@a3li.li>	2010-09-16 15:04:03 +0200
commit	b1a5e55ca78fe024da0fa828b5df3db62ec22a7f (patch)
tree	3e4da81592c29d97ca11871b502d0717d6f0d5b2
parent	Properly implement the list pages (diff)
download	glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.gz glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.tar.bz2 glsamaker-b1a5e55ca78fe024da0fa828b5df3db62ec22a7f.zip