From 8bd5481b3ff5f430665688a1cd61851fb7119855 Mon Sep 17 00:00:00 2001
From: Fu Matthew <kaito@matt-zoe.local>
Date: Fri, 7 Sep 2012 17:53:43 +0800
Subject: [PATCH] fix object_auth security problem

---
 .../admin/object_auths_new_interface_controller.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/controllers/admin/object_auths_new_interface_controller.rb b/app/controllers/admin/object_auths_new_interface_controller.rb
index 08f7496dc..ac06602ae 100644
--- a/app/controllers/admin/object_auths_new_interface_controller.rb
+++ b/app/controllers/admin/object_auths_new_interface_controller.rb
@@ -66,4 +66,18 @@ class Admin::ObjectAuthsNewInterfaceController < OrbitBackendController
     end
   end
 
+  def check_permission(var)
+    # binding.pry
+    #app = ModuleApp.first({conditions:{key: params[:module_app_key]}})
+    # setup_vars
+    @module_app.is_manager?(current_user) || current_user.admin?
+  end
+
+  def setup_vars
+    @app_title = request.env['HTTP_REFERER'].split('/')[4]
+    #@app_title = request.fullpath.split('/')[1] if(@app_title == "back_end") 
+    @app_title.gsub!(/[?].*/,'')
+    @module_app = ModuleApp.first(conditions: {:key => @app_title} )
+  end
+
 end
\ No newline at end of file