1.make module app forbid unearthed access except from admin
2.override sidebar link when it's object_auth or app_auth.
This commit is contained in:
parent
4f7928ad1b
commit
e53ad9f5d1
|
@ -1,10 +1,24 @@
|
|||
class Admin::ModuleAppsNewInterfaceController < OrbitBackendController
|
||||
before_filter :authenticate_user!
|
||||
before_filter :is_admin?
|
||||
before_filter :check_auth
|
||||
# before_filter :authenticate_user!
|
||||
# before_filter :is_admin?
|
||||
include AdminHelper
|
||||
|
||||
layout "new_admin"
|
||||
|
||||
def check_auth
|
||||
|
||||
unless is_admin? and is_manager?
|
||||
flash[:error] = "unauthorized access"
|
||||
if request.env["HTTP_REFERER"]
|
||||
redirect_to :back
|
||||
else
|
||||
render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
|
||||
end
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
def setting
|
||||
@sys_users = User.all(conditions: {admin: false}).includes(:avatar).not_guest_user
|
||||
@module_app = ModuleApp.find(params[:module_app_id])
|
||||
|
|
|
@ -138,9 +138,9 @@ module OrbitApp
|
|||
|
||||
def initialize(label_i18n="NoNameLink",options={})
|
||||
@label_i18n = label_i18n
|
||||
@available_for = options[:available_for]
|
||||
@priority = options[:priority] || 0
|
||||
@path = options[:link_path] || ""
|
||||
set_available_for_avoiding_sensitive_links(options[:available_for] )
|
||||
@active_for_action = options[:active_for_action] || []
|
||||
@active_for_object_auth = options[:active_for_object_auth] || []
|
||||
@active_for_app_auth = options[:active_for_app_auth] || []
|
||||
|
@ -148,6 +148,24 @@ module OrbitApp
|
|||
@get_module_app = options[:get_module_app]
|
||||
end
|
||||
|
||||
def set_available_for_avoiding_sensitive_links(available_for)
|
||||
sensitive_list = {}
|
||||
sensitive_list[:module_app] =/.*manager_auth_proc.*/
|
||||
sensitive_list[:object_auth] = /.*object_auth.*/
|
||||
|
||||
sensitive_list.each do |index,regx|
|
||||
if @path.match(regx)
|
||||
@available_for = case index
|
||||
when :module_app
|
||||
[:admin]
|
||||
when :object_auth
|
||||
[:manager,:admin]
|
||||
end #of case
|
||||
end #of if
|
||||
end #of each
|
||||
@available_for = available_for if @available_for.nil?
|
||||
end #of def
|
||||
|
||||
def get_module_app
|
||||
@get_module_app.call
|
||||
end
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
403 FORIBDDEN
|
|
@ -3,6 +3,8 @@ class Panel::Announcement::BackEnd::ApprovalsController < OrbitBackendControlle
|
|||
before_filter :is_admin?
|
||||
include AdminHelper
|
||||
# layout 'admin'
|
||||
|
||||
|
||||
def preview_and_approve
|
||||
@bulletin = Bulletin.find params[:bulletin_id]
|
||||
end
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController
|
||||
include AdminHelper
|
||||
include OrbitControllerLib::DivisionForDisable
|
||||
|
||||
before_filter :clean_values, :only => [:create, :update]
|
||||
|
|
|
@ -131,8 +131,7 @@ module Announcement
|
|||
context_link 'admin.module.authorization',
|
||||
:link_path=>"admin_module_app_manager_auth_proc_path(ModuleApp.first(conditions: {title: 'Announcement'}))",
|
||||
:priority=>6,
|
||||
:active_for_app_auth => 'Announcement',
|
||||
:available_for => [:admin]
|
||||
:active_for_app_auth => 'Announcement'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue