fix object_auth security problem

2012-09-07 17:53:43 +08:00 · 2012-09-07 17:53:43 +08:00 · 8bd5481b3f
parent 671f86b612
commit 8bd5481b3f
1 changed files with 14 additions and 0 deletions
--- a/app/controllers/admin/object_auths_new_interface_controller.rb
+++ b/app/controllers/admin/object_auths_new_interface_controller.rb
@ -66,4 +66,18 @@ class Admin::ObjectAuthsNewInterfaceController < OrbitBackendController
    end
  end

+  def check_permission(var)
+    # binding.pry
+    #app = ModuleApp.first({conditions:{key: params[:module_app_key]}})
+    # setup_vars
+    @module_app.is_manager?(current_user) || current_user.admin?
+  end
+
+  def setup_vars
+    @app_title = request.env['HTTP_REFERER'].split('/')[4]
+    #@app_title = request.fullpath.split('/')[1] if(@app_title == "back_end") 
+    @app_title.gsub!(/[?].*/,'')
+    @module_app = ModuleApp.first(conditions: {:key => @app_title} )
+  end
+
 end