added security fix for edit page

2014-07-31 17:47:11 +08:00 · 2014-07-31 17:47:11 +08:00 · 01bb50fdec
parent fb1a78c550
commit 01bb50fdec
1 changed files with 6 additions and 3 deletions
--- a/app/controllers/admin/galleries_controller.rb
+++ b/app/controllers/admin/galleries_controller.rb
@ -41,9 +41,12 @@ class Admin::GalleriesController < OrbitAdminController

  def edit
      @album = Album.find(params[:id])
-      @tags = @module_app.tags
-    @categories = @module_app.categories
-
+      if can_edit_or_delete?(@album)
+        @tags = @module_app.tags
+        @categories = @module_app.categories
+      else
+        render_401
+      end
  end

  def set_cover