From 58bea99430a26e652f5bda24a3bd9f2b444820eb Mon Sep 17 00:00:00 2001 From: Harry Bomrah Date: Thu, 13 Nov 2014 19:50:19 +0800 Subject: [PATCH 1/2] fixed authorizations --- app/helpers/orbit_backend_helper.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/helpers/orbit_backend_helper.rb b/app/helpers/orbit_backend_helper.rb index 0145e85..aa76b9d 100644 --- a/app/helpers/orbit_backend_helper.rb +++ b/app/helpers/orbit_backend_helper.rb @@ -138,8 +138,11 @@ module OrbitBackendHelper end def can_edit_or_delete?(obj) + create_user = obj.create_user_id.to_s rescue nil if @user_authenticated_categories.first == "all" return true + elsif current_user.is_sub_manager?(@module_app) && !create_user.nil? + create_user == current_user.id.to_s else @user_authenticated_categories.include?obj.category_id rescue (current_user.is_manager?(@module_app) rescue false) end From 46ec4be6a25531a94395863cdf576f90acb79e4f Mon Sep 17 00:00:00 2001 From: Harry Bomrah Date: Thu, 13 Nov 2014 21:50:08 +0800 Subject: [PATCH 2/2] optimization for authorization --- app/controllers/orbit_admin_controller.rb | 1 + app/helpers/orbit_backend_helper.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/orbit_admin_controller.rb b/app/controllers/orbit_admin_controller.rb index 5d56a00..d084ef3 100644 --- a/app/controllers/orbit_admin_controller.rb +++ b/app/controllers/orbit_admin_controller.rb @@ -78,6 +78,7 @@ class OrbitAdminController < ApplicationController def load_authorized_categories @user_authenticated_categories = current_user.is_admin? ? ["all"] : current_user.approved_categories.collect{|c| c.id} rescue [] + @current_user_is_sub_manager = current_user.is_sub_manager?(@module_app) rescue false end diff --git a/app/helpers/orbit_backend_helper.rb b/app/helpers/orbit_backend_helper.rb index aa76b9d..e0f1901 100644 --- a/app/helpers/orbit_backend_helper.rb +++ b/app/helpers/orbit_backend_helper.rb @@ -141,7 +141,7 @@ module OrbitBackendHelper create_user = obj.create_user_id.to_s rescue nil if @user_authenticated_categories.first == "all" return true - elsif current_user.is_sub_manager?(@module_app) && !create_user.nil? + elsif @current_user_is_sub_manager && !create_user.nil? create_user == current_user.id.to_s else @user_authenticated_categories.include?obj.category_id rescue (current_user.is_manager?(@module_app) rescue false)