diff --git a/src/main/scala/app/ControllerBase.scala b/src/main/scala/app/ControllerBase.scala index da60646..9af9be7 100644 --- a/src/main/scala/app/ControllerBase.scala +++ b/src/main/scala/app/ControllerBase.scala @@ -5,14 +5,18 @@ import org.scalatra.json._ import org.json4s._ import jp.sf.amateras.scalatra.forms._ +import service.AccountService /** * Provides generic features for ScalatraServlet implementations. */ abstract class ControllerBase extends ScalatraFilter with ClientSideValidationFormSupport with JacksonJsonSupport { - + implicit val jsonFormats = DefaultFormats - + + /** + * Returns the context object for the request. + */ implicit def context: Context = Context(servletContext.getContextPath, LoginAccount) private def LoginAccount: Option[Account] = { @@ -22,6 +26,35 @@ } } + /** + * Allows only the repository owner and administrators. + */ + protected def ownerOnly(action: => Any) = { + { + context.loginAccount match { + case Some(x) if(x.userType == AccountService.Administrator) => action + case Some(x) if(request.getRequestURI.split("/")(1) == x.userName) => action + case _ => redirect("/signin") + } + } + } + + /** + * Allows only the repository owner and administrators. + */ + protected def ownerOnly[T](action: T => Any) = { + (form: T) => { + context.loginAccount match { + case Some(x) if(x.userType == AccountService.Administrator) => action(form) + case Some(x) if(request.getRequestURI.split("/")(1) == x.userName) => action(form) + case _ => redirect("/signin") + } + } + } + + /** + * Allows only signed in users. + */ protected def usersOnly(action: => Any) = { { context.loginAccount match { @@ -31,6 +64,9 @@ } } + /** + * Allows only signed in users. + */ protected def usersOnly[T](action: T => Any) = { (form: T) => { context.loginAccount match { diff --git a/src/main/scala/app/SettingsController.scala b/src/main/scala/app/SettingsController.scala index 3c09906..c6f1f52 100644 --- a/src/main/scala/app/SettingsController.scala +++ b/src/main/scala/app/SettingsController.scala @@ -14,32 +14,32 @@ "userName" -> trim(label("Username", text(required, collaborator))) )(CollaboratorForm.apply) - get("/:owner/:repository/settings") { + get("/:owner/:repository/settings")(ownerOnly { val owner = params("owner") val repository = params("repository") redirect("/%s/%s/settings/options".format(owner, repository)) - } + }) - get("/:owner/:repository/settings/options") { + get("/:owner/:repository/settings/options")(ownerOnly { val owner = params("owner") val repository = params("repository") settings.html.options(getRepository(owner, repository, servletContext).get) - } + }) - get("/:owner/:repository/settings/collaborators") { + get("/:owner/:repository/settings/collaborators")(ownerOnly { val owner = params("owner") val repository = params("repository") settings.html.collaborators(getCollaborators(owner, repository), getRepository(owner, repository, servletContext).get) - } + }) - post("/:owner/:repository/settings/collaborators/_add", form) { form => + post("/:owner/:repository/settings/collaborators/_add", form)(ownerOnly { form => val owner = params("owner") val repository = params("repository") addCollaborator(owner, repository, form.userName) redirect("/%s/%s/settings/collaborators".format(owner, repository)) - } + }) def collaborator: Constraint = new Constraint(){ def validate(name: String, value: String): Option[String] = {