1.make module app forbid unearthed access except from admin

2.override sidebar link when it's object_auth or app_auth.

app/controllers/admin/module_apps_new_interface_controller.rb

@@ -1,10 +1,24 @@
 class Admin::ModuleAppsNewInterfaceController < OrbitBackendController
-  before_filter :authenticate_user!
-  before_filter :is_admin?
+  before_filter :check_auth
+  # before_filter :authenticate_user!
+  # before_filter :is_admin?
   include AdminHelper
 
   layout "new_admin"
   
+  def check_auth
+
+    unless is_admin? and is_manager?
+      flash[:error] = "unauthorized access"
+      if request.env["HTTP_REFERER"]
+        redirect_to :back
+      else
+        render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
+      end
+      false
+    end
+  end
+
   def setting
     @sys_users = User.all(conditions: {admin: false}).includes(:avatar).not_guest_user
     @module_app = ModuleApp.find(params[:module_app_id])

lib/orbit_app/module/side_bar.rb

@@ -138,9 +138,9 @@ module OrbitApp
 
           def initialize(label_i18n="NoNameLink",options={})
             @label_i18n = label_i18n
-            @available_for = options[:available_for] 
             @priority = options[:priority] || 0
             @path = options[:link_path] || ""
+            set_available_for_avoiding_sensitive_links(options[:available_for] )
             @active_for_action = options[:active_for_action] || []
             @active_for_object_auth = options[:active_for_object_auth] || []
             @active_for_app_auth = options[:active_for_app_auth] || []
@@ -148,6 +148,24 @@ module OrbitApp
             @get_module_app = options[:get_module_app]
           end
 
+          def set_available_for_avoiding_sensitive_links(available_for)
+            sensitive_list = {}
+            sensitive_list[:module_app] =/.*manager_auth_proc.*/ 
+            sensitive_list[:object_auth] = /.*object_auth.*/
+            
+            sensitive_list.each do |index,regx|
+              if @path.match(regx)
+              @available_for = case index
+                when :module_app
+                   [:admin]
+                when :object_auth
+                   [:manager,:admin]
+              end #of case
+            end #of if
+            end #of each
+            @available_for = available_for if @available_for.nil?
+          end #of def
+
           def get_module_app
             @get_module_app.call
           end

public/403.html

@@ -0,0 +1 @@
+403  FORIBDDEN

vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/approvals_controller.rb

@@ -3,6 +3,8 @@ class Panel::Announcement::BackEnd::ApprovalsController  < OrbitBackendControlle
   before_filter :is_admin?
   include AdminHelper
   # layout 'admin'
+
+  
   def preview_and_approve
     @bulletin = Bulletin.find params[:bulletin_id]
   end

vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb

@@ -1,5 +1,4 @@
 class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController
-  include AdminHelper
   include OrbitControllerLib::DivisionForDisable
 
   before_filter :clean_values, :only => [:create, :update]

vendor/built_in_modules/announcement/init.rb

@@ -131,8 +131,7 @@ module Announcement
       context_link 'module_authorization',
                             :link_path=>"admin_module_app_manager_auth_proc_path(ModuleApp.first(conditions: {title: 'Announcement'}))",
                             :priority=>6,
-                            :active_for_app_auth => 'Announcement',
-                            :available_for => [:admin]
+                            :active_for_app_auth => 'Announcement'
     end
   end
 end