added access control for private projects wiki

git-svn-id: http://redmine.rubyforge.org/svn/branches/work@294 e93f8b46-1217-0410-a6f0-8f06a7374b81

wiki/app/controllers/application.rb

@@ -31,6 +31,10 @@ class ApplicationController < ActionController::Base
     end
   end
   
+  def logged_in_user_membership
+    @user_membership ||= Member.find(:first, :conditions => ["user_id=? and project_id=?", self.logged_in_user.id, @project.id])
+  end
+  
   # check if login is globally required to access the application
   def check_if_login_required
     require_login if Setting.login_required?
@@ -88,6 +92,16 @@ class ApplicationController < ActionController::Base
     render :nothing => true, :status => 403
     false
   end
+  
+  # make sure that the user is a member of the project (or admin) if project is private
+  # used as a before_filter for actions that do not require any particular permission on the project
+  def check_project_privacy
+    return true if @project.is_public?
+    return false unless logged_in_user
+    return true if logged_in_user.admin? || logged_in_user_membership
+    render :nothing => true, :status => 403
+    false
+  end
 
   # store current uri in session.
   # return to this location by calling redirect_back_or_default

wiki/app/controllers/wiki_controller.rb

@@ -17,7 +17,7 @@
 
 class WikiController < ApplicationController
   layout 'base'
-  before_filter :find_wiki
+  before_filter :find_wiki, :check_project_privacy
     
   # display a page (in editing mode if it doesn't exist)
   def index