Add check if user allowed to manage project

For now do this by check if user has access to GitLab project hooks

10 files changed, 41 insertions, 1 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 158893e..62cccea 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -46,6 +46,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def authorize_manage_project!
+    unless current_user.can_manage_project?(@project.gitlab_id)
+      return page_404
+    end
+  end
+
   def page_404
     render file: "#{Rails.root}/public/404.html", status: 404, layout: false
   end
diff --git a/app/controllers/builds_controller.rb b/app/controllers/builds_controller.rb
index 24f4fd9..e83fa68 100644
--- a/app/controllers/builds_controller.rb
+++ b/app/controllers/builds_controller.rb
@@ -2,6 +2,7 @@ class BuildsController < ApplicationController
   before_filter :authenticate_user!, except: [:status]
   before_filter :project
   before_filter :authorize_access_project!, except: [:status]
+  before_filter :authorize_manage_project!, except: [:status]
   before_filter :build, except: [:show]
 
   def show
diff --git a/app/controllers/charts_controller.rb b/app/controllers/charts_controller.rb
index 664048e..4c39835 100644
--- a/app/controllers/charts_controller.rb
+++ b/app/controllers/charts_controller.rb
@@ -2,6 +2,7 @@ class ChartsController < ApplicationController
   before_filter :authenticate_user!
   before_filter :project
   before_filter :authorize_access_project!
+  before_filter :authorize_manage_project!
 
   layout 'project'
 
diff --git a/app/controllers/jobs_controller.rb b/app/controllers/jobs_controller.rb
index f7b8681..20a72a3 100644
--- a/app/controllers/jobs_controller.rb
+++ b/app/controllers/jobs_controller.rb
@@ -2,6 +2,7 @@ class JobsController < ApplicationController
   before_filter :authenticate_user!
   before_filter :project
   before_filter :authorize_access_project!
+  before_filter :authorize_manage_project!
 
   layout 'project'
 
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 245ec85..10de5da 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -2,6 +2,7 @@ class ProjectsController < ApplicationController
   before_filter :authenticate_user!, except: [:build, :badge, :index, :show]
   before_filter :project, only: [:build, :integration, :show, :badge, :edit, :update, :destroy]
   before_filter :authorize_access_project!, except: [:build, :gitlab, :badge, :index, :show, :new, :create]
+  before_filter :authorize_manage_project!, only: [:edit, :integration, :update, :destroy]
   before_filter :authenticate_token!, only: [:build]
   before_filter :no_cache, only: [:badge]
   protect_from_forgery except: :build
diff --git a/app/controllers/runners_controller.rb b/app/controllers/runners_controller.rb
index f061282..395d376 100644
--- a/app/controllers/runners_controller.rb
+++ b/app/controllers/runners_controller.rb
@@ -3,6 +3,7 @@ class RunnersController < ApplicationController
   before_filter :project
   before_filter :set_runner, only: [:edit, :update, :destroy]
   before_filter :authorize_access_project!
+  before_filter :authorize_manage_project!
 
   layout 'project'
 
diff --git a/app/controllers/web_hooks_controller.rb b/app/controllers/web_hooks_controller.rb
index f7906ff..03b89cd 100644
--- a/app/controllers/web_hooks_controller.rb
+++ b/app/controllers/web_hooks_controller.rb
@@ -2,6 +2,7 @@ class WebHooksController < ApplicationController
   before_filter :authenticate_user!
   before_filter :project
   before_filter :authorize_access_project!
+  before_filter :authorize_manage_project!
 
   layout 'project'
 
diff --git a/app/models/network.rb b/app/models/network.rb
index f140dfb..023dca1 100644
--- a/app/models/network.rb
+++ b/app/models/network.rb
@@ -79,6 +79,24 @@ class Network
     end
   end
 
+  def project_hooks(url, api_opts, project_id)
+    opts = {
+      query: api_opts,
+      headers: {"Content-Type" => "application/json"},
+    }
+
+    query = "projects/#{project_id}/hooks.json"
+
+    endpoint = File.join(url, API_PREFIX, query)
+    response = self.class.get(endpoint, opts)
+
+    if response.code == 200
+      response.parsed_response
+    else
+      nil
+    end
+  end
+
   def enable_ci(url, project_id, ci_opts, token)
     opts = {
       body: ci_opts.to_json,
diff --git a/app/models/user.rb b/app/models/user.rb
index 83ee1b5..6c16035 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -41,4 +41,14 @@ class User
       !!Network.new.project(self.url, opts, project_gitlab_id)
     end
   end
+
+  def can_manage_project?(project_gitlab_id)
+    opts = {
+      private_token: self.private_token,
+    }
+
+    Rails.cache.fetch(cache_key('manage', project_gitlab_id, sync_at)) do
+      !!Network.new.project_hooks(self.url, opts, project_gitlab_id)
+    end
+  end
 end
diff --git a/app/views/layouts/project.html.haml b/app/views/layouts/project.html.haml
index 243bd27..809714b 100644
--- a/app/views/layouts/project.html.haml
+++ b/app/views/layouts/project.html.haml
@@ -18,7 +18,7 @@
     %hr
     .container
       .row
-        - if current_user
+        - if current_user && current_user.can_manage_project?(@project.gitlab_id)
           .col-md-2.append-bottom-20
             %ul.nav.nav-pills.nav-stacked.project-menu
               = nav_link path: 'projects#show' do