From 40eea87a01529eb534d7dadde96fb75a98894995 Mon Sep 17 00:00:00 2001 From: manson Date: Fri, 1 Aug 2014 12:24:57 +0800 Subject: [PATCH] add authorization --- .../admin/project_types_controller.rb | 4 +++- app/controllers/admin/projects_controller.rb | 9 ++++++--- app/views/admin/projects/_form.html.erb | 1 + .../plugin/personal_project/_profile.html.erb | 17 +++++++++-------- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/app/controllers/admin/project_types_controller.rb b/app/controllers/admin/project_types_controller.rb index 8fbde4b..75a8d77 100644 --- a/app/controllers/admin/project_types_controller.rb +++ b/app/controllers/admin/project_types_controller.rb @@ -1,4 +1,6 @@ -class Admin::ProjectTypesController < OrbitAdminController +class Admin::ProjectTypesController < OrbitMemberController + before_action :allow_admin_only + def new @project_type = ProjectType.new @url = admin_project_types_path(@project_type) diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb index e1206f7..725932a 100644 --- a/app/controllers/admin/projects_controller.rb +++ b/app/controllers/admin/projects_controller.rb @@ -4,6 +4,9 @@ class Admin::ProjectsController < OrbitMemberController before_action :set_plugin before_action :get_settings,:only => [:new, :edit, :setting] + before_action :need_access_right + before_action :allow_admin_only, :only => [:index, :setting] + def index @projects = Project.order_by(:period_start_date=>'desc',:year=>'desc').page(params[:page]).per(10) end @@ -17,7 +20,7 @@ class Admin::ProjectsController < OrbitMemberController @member = MemberProfile.find(project_params['member_profile_id']) rescue nil @project = Project.new(project_params) @project.save - redirect_to '/admin/members/'+@member.to_param+'/Project' + redirect_to params['referer_url'] end def edit @@ -30,7 +33,7 @@ class Admin::ProjectsController < OrbitMemberController @project = Project.find(params[:id]) @project.update_attributes(project_params) @project.save - redirect_to '/admin/members/'+@member.to_param+'/Project' + redirect_to params['referer_url'] end def destroy @@ -66,7 +69,7 @@ class Admin::ProjectsController < OrbitMemberController @intro = @intro.nil? ? ProjectIntro.new({:member_profile_id=>@member.id}) : @intro @intro.update_attributes(intro_params) @intro.save - redirect_to '/admin/members/'+@member.to_param+'/Project' + redirect_to URI.encode('/admin/members/'+@member.to_param+'/Project') end def get_settings diff --git a/app/views/admin/projects/_form.html.erb b/app/views/admin/projects/_form.html.erb index 276ee34..445e537 100644 --- a/app/views/admin/projects/_form.html.erb +++ b/app/views/admin/projects/_form.html.erb @@ -231,6 +231,7 @@
<%= f.hidden_field :user_id, :value => params[:user_id] if !params[:user_id].blank? %> + <%= f.submit t('submit'), class: 'btn btn-primary' %> <%= link_to t('cancel'), get_go_back, :class=>"btn" %>
diff --git a/app/views/plugin/personal_project/_profile.html.erb b/app/views/plugin/personal_project/_profile.html.erb index 6dd2ff5..a2d47da 100644 --- a/app/views/plugin/personal_project/_profile.html.erb +++ b/app/views/plugin/personal_project/_profile.html.erb @@ -6,15 +6,14 @@ <% end %> <% - is_autorized_user = (current_user==@member.user || current_user.is_admin?) - if is_autorized_user + if has_access? @projects = Project.where(member_profile_id: @member.id).desc(:year).page(params[:page]).per(10) else @projects = Project.where(is_hidden: false, member_profile_id: @member.id).desc(:year).page(params[:page]).per(10) end %> -<% if is_autorized_user %> +<% if has_access? %>
<%= link_to('Hide', '#', :class => "btn btn-mini list-active-btn disabled", "data-check-action" => "list-be-hide", :rel => toggle_hide_admin_projects_path(member_profile_id: params[:id], disable: 'true') ) %> @@ -26,7 +25,7 @@ - <% if is_autorized_user %> + <% if has_access? %> <% end -%> @@ -37,7 +36,7 @@ <% @projects.each do |project| %> "> - <% if is_autorized_user %> + <% if has_access? %> @@ -47,8 +46,10 @@ <%= link_to project.project_title, OrbitHelper.url_to_plugin_show(project.to_param,'personal_project').to_s, target: "blank"%>
    -
  • <%= link_to t('edit'), '/admin/members/'+@member.to_param+'/projects/'+project.id+'/edit' %>
    • -
  • <%= link_to t(:delete_), admin_project_path(id: project.id, member_profile_id: @member.id), method: :delete, remote: true, data: { confirm: t('sure?') } %>
    • + <% if has_access? %> +
  • <%= link_to t('edit'), '/admin/members/'+@member.to_param+'/projects/'+project.id+'/edit' %>
    • +
  • <%= link_to t(:delete_), admin_project_path(id: project.id, member_profile_id: @member.id), method: :delete, remote: true, data: { confirm: t('sure?') } %>
    • + <% end %>
@@ -60,7 +61,7 @@
- <% if is_autorized_user %> + <% if has_access? %>
<%= link_to content_tag(:i, nil, :class => 'icon-edit') +' '+ t('setting'),'/admin/members/'+@member.to_param+'/projects/frontend_setting', :class => 'btn btn-primary' %> <%= link_to content_tag(:i, nil, :class => 'icon-plus') +' '+ t('new_'),
<%= t('personal_project.year') %>
<%= check_box_tag 'to_change[]', project.id.to_s, false, :class => "list-check" %>