From 33edfd779c90a8e7bf9db048cf02e3a1558d81b6 Mon Sep 17 00:00:00 2001
From: Harry Bomrah <harry@rulingcom.com>
Date: Wed, 30 Jul 2014 21:40:02 +0800
Subject: [PATCH] new authorization.. yet to complete in alpha..

---
 .../javascripts/basic/orbit_js_1.0.1.js       |   2 +-
 .../admin/authorizations_controller.rb        |  25 +++-
 app/controllers/orbit_admin_controller.rb     |   7 +-
 app/helpers/orbit_backend_helper.rb           |  10 +-
 app/models/authorization.rb                   |  14 +--
 app/models/category.rb                        |   4 +
 app/models/user.rb                            |  35 +++++-
 .../admin/categories/_select_form.html.erb    |   8 +-
 app/views/layouts/_side_bar_content.html.erb  |   4 +-
 config/initializers/authorization.rb          |   6 +-
 lib/orbit_app/helper/context_link_renderer.rb |  21 +++-
 lib/orbit_app/helper/side_bar_renderer.rb     |  27 ++--
 lib/orbit_app/module/side_bar.rb              |  74 +++++++----
 lib/orbit_core_lib.rb                         | 118 ++++++------------
 public/401.html                               |  28 +++++
 15 files changed, 242 insertions(+), 141 deletions(-)
 create mode 100644 public/401.html

diff --git a/app/assets/javascripts/basic/orbit_js_1.0.1.js b/app/assets/javascripts/basic/orbit_js_1.0.1.js
index a5dee8d..c5925cd 100755
--- a/app/assets/javascripts/basic/orbit_js_1.0.1.js
+++ b/app/assets/javascripts/basic/orbit_js_1.0.1.js
@@ -291,7 +291,7 @@ if($.support.touch) {
             $el.find('a').removeAttr('href');
         };
         $el.on(mouseenterEvent, function(e) {
-            $block.siblings().removeClass('show').eq($(this).index()).addClass('show');
+            $block.siblings().removeClass('show').end().eq($(this).index()).addClass('show');
             $arrow.stop(true, false).animate({
                 top: ($(this).position().top+$(this).height()/2)-$arrowHeightFormat+$('.scroller').position().top,
             },{
diff --git a/app/controllers/admin/authorizations_controller.rb b/app/controllers/admin/authorizations_controller.rb
index 762022a..a29f364 100644
--- a/app/controllers/admin/authorizations_controller.rb
+++ b/app/controllers/admin/authorizations_controller.rb
@@ -35,7 +35,7 @@ class Admin::AuthorizationsController < OrbitAdminController
   def add_users
     users = User.find(params[:user_ids]) rescue nil
     unless users.nil?
-      authorization = users.map {|u| get_or_create_authorization(u.id)}.first
+      authorization = users.map {|u| get_or_create_authorization(u)}.first
     end
     @users = @module_app.module_managers
     render 'admin/authorizations/reload_users'
@@ -92,16 +92,22 @@ class Admin::AuthorizationsController < OrbitAdminController
 
   protected
 
-  def get_or_create_authorization(user_id)
+  def get_or_create_authorization(user)
     case @type
     when 'category_authorization'
       if @object
-       Authorization.create_category_authorization(@module_app.id, @object.id, user_id)
+        if user.is_manager?(@module_app)
+          remove_from_manager(user)
+        end
+       Authorization.create_category_authorization(@module_app.id, @object.id, user.id)
       else
         @error = t(:no_data)
       end
     when nil
-      Authorization.create_module_authorization(@module_app.id,  user_id)
+      if user.is_sub_manager?(@module_app)
+          remove_from_sub_manager(user)
+      end
+      Authorization.create_module_authorization(@module_app.id, user.id)
     else
       auth = @object.get_authorization_by_title("#{@type}_#{@module_app.key}")
       unless auth
@@ -111,6 +117,17 @@ class Admin::AuthorizationsController < OrbitAdminController
     end
   end
 
+  def remove_from_sub_manager(user)
+    categories = @module_app.categories.authorized(user)
+    categories.each do |c|
+       Authorization.remove_category_authorization(c.id, user.id)
+    end
+  end
+
+  def remove_from_manager(user)
+     Authorization.remove_module_authorization(@module_app.id, user.id)
+  end
+
   def get_or_create_authorization_with_role(role_id)
     case @type
     when 'category_authorization'
diff --git a/app/controllers/orbit_admin_controller.rb b/app/controllers/orbit_admin_controller.rb
index 6f060a7..96abc40 100644
--- a/app/controllers/orbit_admin_controller.rb
+++ b/app/controllers/orbit_admin_controller.rb
@@ -1,10 +1,9 @@
 class OrbitAdminController < ApplicationController  
   include OrbitCoreLib::Authorize
-  include OrbitCoreLib::PermissionUtility
   include Authorize
   include OrbitBackendHelper
   
-  before_action :authenticate_user, :log_user_action
+  before_action :authenticate_user, :log_user_action, :load_authenticated_categories
   layout "back_end"
 
   def sort
@@ -65,4 +64,8 @@ class OrbitAdminController < ApplicationController
     end
   end
 
+  def load_authenticated_categories
+    @user_authenticated_categories = current_user.is_admin? ? ["all"] : current_user.approved_categories.collect{|c| c.id}
+  end
+
 end
diff --git a/app/helpers/orbit_backend_helper.rb b/app/helpers/orbit_backend_helper.rb
index b88fe1b..0a7f4ac 100644
--- a/app/helpers/orbit_backend_helper.rb
+++ b/app/helpers/orbit_backend_helper.rb
@@ -85,7 +85,7 @@ module OrbitBackendHelper
 
 
   def select_category(f, module_app)
-    render :partial => '/admin/categories/select_form', :locals => {:f=> f, :module_app=>module_app, :categories=>module_app.categories.enabled }
+    render :partial => '/admin/categories/select_form', :locals => {:f=> f, :module_app=>module_app, :categories=>module_app.categories.enabled.authorized(current_user) }
   end
 
   def select_tags(f, module_app)
@@ -128,6 +128,14 @@ module OrbitBackendHelper
 
     [:name=> t(:visitors_count),:data=>result]
   end
+
+  def can_edit_or_delete?(obj)
+    if @user_authenticated_categories.first == "all"
+      return true
+    else
+      @user_authenticated_categories.include?obj.category_id
+    end
+  end
   
 end
 
diff --git a/app/models/authorization.rb b/app/models/authorization.rb
index f0176d7..c5b2157 100644
--- a/app/models/authorization.rb
+++ b/app/models/authorization.rb
@@ -32,7 +32,7 @@ class Authorization
     user = User.find(user_id)
     workgroup = Workgroup.find_by(key: "managers")
     module_app = ModuleApp.find(module_app_id)
-    if (user.is_admin? || user.is_manager?(module_app) || user.is_sub_manager?(module_app)|| user.is_manager_with_role?(module_app))
+    if (user.is_admin? || user.is_manager?(module_app) || user.is_manager_with_role?(module_app))
       puts "User Already Authorized"
     else
       a = self.create(module_app_id: module_app_id, user_id: user_id, workgroup_id: workgroup.id)
@@ -44,12 +44,8 @@ class Authorization
     user = User.find(user_id)
     workgroup = Workgroup.find_by(key: "sub_managers")
     module_app = ModuleApp.find(module_app_id)
-    if (user.is_admin? || user.is_manager?(module_app) || user.is_sub_manager?(module_app) || user.is_manager_with_role?(module_app))
-      puts "User Already Authorized"
-    else
-      a = self.create(category_id: category_id, user_id: user_id, workgroup_id: workgroup.id)
-      a.save
-    end
+    a = self.create(category_id: category_id, user_id: user_id, workgroup_id: workgroup.id)
+    a.save
   end
 
   def self.create_module_authorization_with_role(module_app_id,role_id)
@@ -78,11 +74,11 @@ class Authorization
 
   def self.remove_module_authorization(module_app_id,user_id)
     auth = self.find_by(module_app_id: module_app_id, user_id: user_id)
-    auth.delete
+    auth.destroy
   end
 
   def self.remove_category_authorization(category_id,user_id)
     auth = self.find_by(category_id: category_id, user_id: user_id)
-    auth
+    auth.destroy
   end
 end
diff --git a/app/models/category.rb b/app/models/category.rb
index 3369de7..f146632 100644
--- a/app/models/category.rb
+++ b/app/models/category.rb
@@ -15,4 +15,8 @@ class Category
   def category_sub_managers
     Authorization.category_authorized_users(self).pluck(:user_id)
   end
+
+  def self.authorized(user)
+    user.approved_categories
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index e22e6ee..949d0bf 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -108,7 +108,6 @@ class User
     module_app_categories = module_app.categories.map {|c| c.id} rescue nil
     authorized_categories = self.authorizations.map {|a| a.category.id if (a.category.present? && a.workgroup.key.eql?("sub_managers"))}
     intersection = (module_app_categories & authorized_categories)
-
     if ((intersection.count > 0 if intersection.present?) && !self.is_admin? && !self.is_manager?(module_app))
       true
     else
@@ -128,6 +127,40 @@ class User
     end
   end
 
+  def is_normal_user?
+    if self.is_admin?
+      return false
+    elsif self.authorizations.empty?
+      return true
+    else
+      return false
+    end
+  end
+
+  def approved_categories
+    categories = []
+    if self.is_admin?
+      Category.all.each do |c|
+        categories << c
+      end
+    else
+      self.authorizations.each do |auth|
+        case auth.workgroup.key
+        when "managers"
+          if !auth.module_app.categories.blank?
+            auth.module_app.categories.each do|c|
+              categories << c
+            end
+          end
+        when "sub_managers"
+          c = Category.find(auth.category_id) rescue nil
+          categories << c if !c.nil?
+        end
+      end
+    end
+    categories
+  end
+
   def user_workgroup(module_app)
     if self.is_admin?
       "Admin"
diff --git a/app/views/admin/categories/_select_form.html.erb b/app/views/admin/categories/_select_form.html.erb
index 8f3ebe5..9cd1d19 100644
--- a/app/views/admin/categories/_select_form.html.erb
+++ b/app/views/admin/categories/_select_form.html.erb
@@ -1,9 +1,11 @@
 <span id="select_categories">
   <%= f.select :category_id, categories.collect{|t| [ t.title, t.id ]} %>
 </span>
-<button class="btn" data-toggle="modal" data-target="#categoryModal">
-  <i class='icon-plus'></i> <%= t(:new_category) %>
-</button>
+<% if current_user.is_admin? || current_user.is_manager?(module_app) %>
+  <button class="btn" data-toggle="modal" data-target="#categoryModal">
+    <i class='icon-plus'></i> <%= t(:new_category) %>
+  </button>
+<% end %>
 
 <div class="modal fade" id="categoryModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
   <div class="modal-dialog">
diff --git a/app/views/layouts/_side_bar_content.html.erb b/app/views/layouts/_side_bar_content.html.erb
index b2756de..0c46500 100644
--- a/app/views/layouts/_side_bar_content.html.erb
+++ b/app/views/layouts/_side_bar_content.html.erb
@@ -2,7 +2,7 @@
 	<div class="scroller">
 	  <ul class="sidebar-nav">
 	    <% OrbitApp::Module::SideBarRegistration.all.sort{|x,y| x.get_module_app_key <=> y.get_module_app_key}.each do |t| %>
-	      <%= t.render_head(request, params, current_user, @module_app) %>
+	      <%= t.render_head(request, params, current_user, @module_app, t.get_availability) %>
  	    <% end %>
 	  </ul>
 	</div>
@@ -11,6 +11,6 @@
 
 <div class="sub-nav-block-list">
   <% OrbitApp::Module::SideBarRegistration.all.sort{|x,y| x.get_module_app_key <=> y.get_module_app_key}.each do |t| %>
-    <%= t.render(request, params, current_user, @module_app) %>
+    <%= t.render(request, params, current_user, @module_app, t.get_availability) %>
  <% end %>
 </div>
\ No newline at end of file
diff --git a/config/initializers/authorization.rb b/config/initializers/authorization.rb
index c51ed2a..bea5e80 100644
--- a/config/initializers/authorization.rb
+++ b/config/initializers/authorization.rb
@@ -5,8 +5,8 @@
     
     side_bar do
       head_label_i18n 'authorization', icon_class: "icons-lock-open"
-      available_for [:admin, :manager]
-      active_for_controllers ({public: ['admin/authorizations']})
+      available_for "managers"
+      active_for_controllers (['admin/authorizations'])
 
       head_link_path "admin_authorizations_path"
       
@@ -14,6 +14,6 @@
         link_path: "admin_authorizations_path",
         priority: 1,
         active_for_action: {authorizations: :index},
-        available_for: [:admin, :manager]
+        available_for: "managers"
     end
   end
diff --git a/lib/orbit_app/helper/context_link_renderer.rb b/lib/orbit_app/helper/context_link_renderer.rb
index 9d0983c..b501927 100644
--- a/lib/orbit_app/helper/context_link_renderer.rb
+++ b/lib/orbit_app/helper/context_link_renderer.rb
@@ -1,13 +1,30 @@
 module ContextLinkRenderer
   include Renderer
 
-  def render(request,params,current_module_app,current_user,belong_module_app,active_actions)
+  def render(request,params,current_module_app,current_user,belong_module_app,active_actions,available_for)
     @current_module_app = current_module_app
     @belong_module_app = belong_module_app
     @request = request
     @params = params
     @current_user = current_user
-    content_tag :li, link_to(content_tag(:span, I18n.t(@label_i18n)), Rails.application.routes.url_helpers.send(@path, eval(@arg))), :class => ( active_actions[controller] == action ? 'active' : nil) 
+    @available_for = available_for
+    if can_display?
+    	content_tag :li, link_to(content_tag(:span, I18n.t(@label_i18n)), Rails.application.routes.url_helpers.send(@path, eval(@arg))), :class => ( active_actions[controller] == action ? 'active' : nil) 
+    end
+  end
+
+  def can_display?
+  	status = "users"
+  	if @current_user.is_admin?
+  		status = "admin"
+  	elsif @current_user.is_manager?(@belong_module_app)
+  		status = "managers"
+  	elsif @current_user.is_sub_manager?(@belong_module_app)
+  		status = "sub_managers"
+  	elsif @current_user.is_normal_user?
+  		status = "users"
+  	end
+  	return @available_for.include?status
   end
 
 end
\ No newline at end of file
diff --git a/lib/orbit_app/helper/side_bar_renderer.rb b/lib/orbit_app/helper/side_bar_renderer.rb
index e9c0496..be1800d 100644
--- a/lib/orbit_app/helper/side_bar_renderer.rb
+++ b/lib/orbit_app/helper/side_bar_renderer.rb
@@ -3,30 +3,32 @@ module SideBarRenderer
   include AdminHelper
   include ActionView::Helpers::TextHelper
 
-  def render(request,params,user,current_module_app)
+  def render(request,params,user,current_module_app, af)
     @belong_module_app = get_module_app
     @current_module_app = current_module_app
     @request = request
     @params = params
     @current_user = user
+    @app_available_for = af
     if display?
       content_tag :div, class: "sub-nav-block #{@icon_class}" do
         concat content_tag :h4, I18n.t(@head_label)
         concat (content_tag :ul, class: "nav nav-list" do
           @context_links.sort_by {| obj | obj.priority}.map{ |link|
-            link.render(request, params, @current_module_app, @current_user, @belong_module_app, link.get_active_action)
+            link.render(request, params, @current_module_app, @current_user, @belong_module_app, link.get_active_action, link.available_for)
           }.join.html_safe
         end)
       end
     end
   end
 
-  def render_head(request, params, user,current_module_app)
+  def render_head(request, params, user,current_module_app, available_for)
     @belong_module_app = get_module_app
     @current_module_app = current_module_app
     @request = request
     @params = params
     @current_user = user
+    @app_available_for = available_for
     if display?
       content_tag :li, class: (module_sidebar_active? ? 'active' : nil) do
         link_to Rails.application.routes.url_helpers.send(@head_link) do
@@ -41,15 +43,17 @@ module SideBarRenderer
   protected
 
    def display? #控制sidebar 要不要算圖
-    if is_manager? || is_admin?  #如果是系統管理員 或 是模組管理員
-      true
-    elsif (@current_module_app.open rescue true) # 如果app 被設定成 開放
-      true
-     elsif is_member? #如果app 是封閉  那至少需要是 member
-      true
-    else 
-      false
+    status = "users"
+    if @current_user.is_admin?
+      status = "admin"
+    elsif @current_user.is_manager?(@belong_module_app)
+      status = "managers"
+    elsif @current_user.is_sub_manager?(@belong_module_app)
+      status = "sub_managers"
+    elsif @current_user.is_normal_user?
+      status = "users"
     end
+    return @app_available_for.include?status
   end
 
   def module_sidebar_active?
@@ -59,5 +63,4 @@ module SideBarRenderer
   def active_for_controller?
     @active_for_controllers.include? controller
   end
-
 end
\ No newline at end of file
diff --git a/lib/orbit_app/module/side_bar.rb b/lib/orbit_app/module/side_bar.rb
index ecfb5d9..7ff2829 100644
--- a/lib/orbit_app/module/side_bar.rb
+++ b/lib/orbit_app/module/side_bar.rb
@@ -87,7 +87,32 @@ module OrbitApp
         end
 
         def available_for(var)
-          @available_for = var
+          @available_for = set_avaibility(var || "admin") 
+        end
+
+        def get_availability
+          @available_for
+        end
+
+         def set_avaibility(af)
+          temp = []
+          case af
+          when 'users'
+            temp << 'users'
+            temp << 'sub_managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'sub_managers'
+            temp << 'sub_managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'admin'
+            temp << 'admin'
+          end
+          temp
         end
 
         def active_for_controllers(var)
@@ -112,7 +137,7 @@ module OrbitApp
             context_link 'module_authorization',
                           :link_path => "admin_authorizations_path(get_module_app.key)",
                           :priority => current_priority + 2,
-                          :available_for => [:manager]
+                          :available_for => "managers"
           end
           @context_links.each do |t| 
             # t.set_module_app = @module_app
@@ -143,35 +168,42 @@ module OrbitApp
           @priority = options[:priority] || 0
           @path = options[:link_path] || ""
           @arg = options[:link_arg] || ""
-          set_available_for_avoiding_sensitive_links(options[:available_for] )
+          @available_for = set_avaibility(options[:available_for] || "admin")
           @active_for_action = options[:active_for_action] || []
           @active_for_app_auth = options[:active_for_app_auth] || []
           @module_app_key = options[:module_app_key]
           @get_module_app = options[:get_module_app]
         end
 
-        def set_available_for_avoiding_sensitive_links(available_for)
-            sensitive_list = {}
-            sensitive_list[:module_app] =/.*manager_auth_proc.*/ 
-            sensitive_list[:object_auth] = /.*object_auth.*/
-            
-            sensitive_list.each do |index,regx|
-              if @path.match(regx)
-              @available_for = case index
-                when :module_app
-                   [:admin]
-                when :object_auth
-                   [:manager,:admin]
-              end #of case
-            end #of if
-          end #of each
-          @available_for = available_for if @available_for.nil?
-        end #of def
-
         def get_module_app
           @get_module_app.call
         end
 
+        def available_for
+          @available_for
+        end
+
+        def set_avaibility(af)
+          temp = []
+          case af
+          when 'users'
+            temp << 'users'
+            temp << 'sub_managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'sub_managers'
+            temp << 'sub_managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'managers'
+            temp << 'managers'
+            temp << 'admin'
+           when 'admin'
+            temp << 'admin'
+          end
+          temp
+        end
+
         def active?
           for_action = @active_for_action.blank? ? false : active_for_action?
           for_app_auth = @active_for_app_auth.blank? ? false : active_for_app_auth?
diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb
index c655514..ffbd543 100644
--- a/lib/orbit_core_lib.rb
+++ b/lib/orbit_core_lib.rb
@@ -115,30 +115,6 @@ module  OrbitCoreLib
        self.save!
      end
   end
-  
-  module PermissionUtility
-  private
-    def check_permission(type = :use)
-    permission_grant =  current_user.is_admin?? true : false
-      module_app = @module_app.nil?? find_module_app_by_token(params[:token]) : @module_app
-      unless permission_grant
-        permission_grant = case type
-        when :use
-          users_ary = @module_authorized_users rescue nil
-          users_ary = [] if users_ary.nil?
-          (users_ary.include?(current_user) || current_user.is_manager?(@module_app) || current_user.is_sub_manager?(@module_app))
-        when :manager
-          current_user.is_manager?(@module_app)
-        when :sub_manager  
-          current_user.is_manager?(@module_app) || current_user.is_sub_manager?(@module_app)
-        end  
-      end
-      permission_grant
-    end
-    def find_module_app_by_token(token)
-      ModuleApp.first(conditions: {s_token: token})
-    end
-  end
 
   module Authorize
     def self.included(base)
@@ -151,66 +127,48 @@ module  OrbitCoreLib
     module InstanceMethods
       protected
       def can_use
-        setup_vars
-        unless @no_authorization
-          if @workgroup
-            @open = false
-            @visitor = false
-            @workgroup.each do |workgroup|
-              case workgroup
-              when :admin
-                @open ||= check_admin
-              when :manager
-                @open ||= check_manager
-              when :sub_manager
-                @open ||= check_sub_manager
-              when :user
-                @open ||= true
-              end
-            end
-            authenticate_user if current_user.nil
-            redirect_to root_url unless @open
-          else
-            authenticate_user
-            check_user_can_use
+        @app_title ||= controller_path.split('/')[1].singularize rescue nil
+        @module_app ||= ModuleApp.find_by(key: @app_title) rescue nil
+        @module_authorized_users ||= Authorization.module_authorized_users(@module_app.id).pluck(:user_id) rescue nil
+        authenticate_user
+        check_user_can_use
+      end
+
+      def check_user_can_use
+        # condition_check = ((current_user.is_admin? if current_user.present?) || (current_user.is_manager?(@module_app) if current_user.present?) || (current_user.is_sub_manager?(@module_app) if current_user.present?) || (current_user.is_manager_with_role?(@module_app) if current_user.present?))
+        # if condition_check.eql?(true)
+        #   # redirect_to admin_dashboards_url
+        # elsif condition_check.eql?(false)
+        #   render "public/401" , layout: "back_end"
+        # end
+        permissions = {}
+        @module_app.get_registration.get_side_bar.get_context_links.each do |link|
+          l = (Rails.application.routes.url_helpers.send(link.path) rescue Rails.application.routes.url_helpers.send(link.path, {:module_app_id => @module_app.id}))
+          if l == request.path
+           permissions["link"] = l 
+           permissions["available_for"] = link.available_for
+           break
+         end
+        end
+        if !permissions.empty?
+          if !allow?(permissions["available_for"] || ["admin"])
+            render "public/401" , layout: "back_end"
           end
         end
       end
 
-      def check_admin
-        current_user.is_admin?
-      end
-
-      def check_manager
-        check_admin || current_user.is_manager?(@module_app)
-      end
-
-      def check_sub_manager
-        check_admin || check_manager || current_user.is_sub_manager?(@module_app)
-      end
-
-      def open_for(var)
-        @user_type ||= []
-        @user_type << var
-      end
-
-      def no_authorization
-        @no_authorization = true
-      end
-
-      def check_user_can_use
-        condition_check = ((current_user.is_admin? if current_user.present?) || (current_user.is_manager?(@module_app) if current_user.present?) || (current_user.is_sub_manager?(@module_app) if current_user.present?) || (current_user.is_manager_with_role?(@module_app) if current_user.present?))
-        if condition_check.eql?(true)
-          # redirect_to admin_dashboards_url
-        elsif condition_check.eql?(false)
-          render "public/404" , layout: "back_end"
-        end
-      end
-
-      def setup_vars
-        @app_title ||= controller_path.split('/')[1].singularize rescue nil
-        @module_app ||= ModuleApp.find_by(key: @app_title) rescue nil
-        @module_authorized_users ||= Authorization.module_authorized_users(@module_app.id).pluck(:user_id) rescue nil
+       def allow?(af)
+          status = "users"
+          if current_user.is_admin?
+            status = "admin"
+          elsif current_user.is_manager?(@module_app)
+            status = "managers"
+          elsif current_user.is_sub_manager?(@module_app)
+            status = "sub_managers"
+          elsif current_user.is_normal_user?
+            status = "users"
+          end
+          return af.include?status
       end
     end
   end
diff --git a/public/401.html b/public/401.html
new file mode 100644
index 0000000..39bd611
--- /dev/null
+++ b/public/401.html
@@ -0,0 +1,28 @@
+<!DOCTYPE HTML>
+<html lang="en-US">
+<head>
+  <meta charset="UTF-8">
+  <title></title>
+  <link rel="stylesheet" type="text/css" href="stylesheets/error-pages.css" media="all"/>
+</head>
+<body>
+  <style type="text/css">
+  body {
+    margin: 0;
+    padding: 40px 0 0 0;
+    background-color: #F3F3F3;
+  }
+  </style>
+  <!-- Error Pages Start Here -->
+  <div id="error-page">
+    <div class="card">
+      <div class="figure code-401"></div>
+      <div class="message">
+        <h1>Unauthorized</h1>
+        <p>You dont have privileges to access this page.</p>
+      </div>
+    </div>
+  </div>
+  <!-- Error Pages End Here -->
+</body>
+</html>
\ No newline at end of file