diff options
| author | wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf <61180606+wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf@users.noreply.github.com> | 2020-08-22 08:58:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-22 02:58:59 -0400 |
| commit | d4e35b9dc61779559fe28a7537d28bef2938a443 (patch) | |
| tree | 833e669f014fc661fec2b1842e268bcda119462f /routers/routes | |
| parent | a0484890c11a088330db0e3a0c03474ee2408b13 (diff) | |
| download | gitea-d4e35b9dc61779559fe28a7537d28bef2938a443.tar.gz gitea-d4e35b9dc61779559fe28a7537d28bef2938a443.zip | |
Hide 'New Project board' button for users that are not signed in (#12547)
* hide: 'New Project board' button
* there is no reason to show the button for users that are not signed in
* update template: specifies the condition together with another one
as per lafriks' suggestion in the comment
* chore: add proper user authorization check
* chore: also hide button if repo is archived
* chore: show project board edit/delete menu to authorized users only
* chore: drop the redundant IsSigned check
* CanWriteIssues and CanWritePulls implies (and requires) signed in user
* Add CanWriteProjects and properly assert permissions
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'routers/routes')
| -rw-r--r-- | routers/routes/routes.go | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 27af9275ed..bdb82db6f5 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -535,6 +535,7 @@ func RegisterRoutes(m *macaron.Macaron) { reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects) + reqRepoProjectsWriter := context.RequireRepoWriter(models.UnitTypeProjects) // ***** START: Organization ***** m.Group("/org", func() { @@ -858,24 +859,26 @@ func RegisterRoutes(m *macaron.Macaron) { m.Group("/projects", func() { m.Get("", repo.Projects) - m.Get("/new", repo.NewProject) - m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewRepoProjectPost) - m.Group("/:id", func() { - m.Get("", repo.ViewProject) - m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost) - m.Post("/delete", repo.DeleteProject) - - m.Get("/edit", repo.EditProject) - m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost) - m.Post("/^:action(open|close)$", repo.ChangeProjectStatus) - - m.Group("/:boardID", func() { - m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle) - m.Delete("", repo.DeleteProjectBoard) - - m.Post("/:index", repo.MoveIssueAcrossBoards) + m.Get("/:id", repo.ViewProject) + m.Group("", func() { + m.Get("/new", repo.NewProject) + m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewProjectPost) + m.Group("/:id", func() { + m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost) + m.Post("/delete", repo.DeleteProject) + + m.Get("/edit", repo.EditProject) + m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost) + m.Post("/^:action(open|close)$", repo.ChangeProjectStatus) + + m.Group("/:boardID", func() { + m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle) + m.Delete("", repo.DeleteProjectBoard) + + m.Post("/:index", repo.MoveIssueAcrossBoards) + }) }) - }) + }, reqRepoProjectsWriter, context.RepoMustNotBeArchived()) }, reqRepoProjectsReader, repo.MustEnableProjects) m.Group("/wiki", func() { |