myexperiment-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[myexperiment-hackers] [2665] trunk: Add auth for pictures.


From: noreply
Subject: [myexperiment-hackers] [2665] trunk: Add auth for pictures.
Date: Fri, 5 Aug 2011 04:56:58 -0400 (EDT)

Revision
2665
Author
dtm
Date
2011-08-05 04:56:57 -0400 (Fri, 05 Aug 2011)

Log Message

Add auth for pictures.

Modified Paths

Diff

Modified: trunk/app/views/pictures/index.rhtml (2664 => 2665)


--- trunk/app/views/pictures/index.rhtml	2011-08-03 14:50:21 UTC (rev 2664)
+++ trunk/app/views/pictures/index.rhtml	2011-08-05 08:56:57 UTC (rev 2665)
@@ -17,6 +17,7 @@
   
 <% odd_row = false -%>
 <% for picture in @pictures %>
+<% if Authorization.is_authorized?("view", nil, picture, current_user) %>
   <tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
     <td width="150">
       <% if picture.selected? %> 
@@ -45,6 +46,7 @@
     </td>
   </tr>
 <% end %>
+<% end %>
 </table>
 
 <% else %>

Modified: trunk/config/tables.xml


(Binary files differ)

Modified: trunk/lib/authorization.rb (2664 => 2665)


--- trunk/lib/authorization.rb	2011-08-03 14:50:21 UTC (rev 2664)
+++ trunk/lib/authorization.rb	2011-08-05 08:56:57 UTC (rev 2665)
@@ -299,7 +299,7 @@
     # this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
     # and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
     if (thing_contribution.nil? && ["Workflow", "Blog", "Blob", "Pack", "Contribution"].include?(thing_type)) || 
-       (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner"].include?(thing_type))
+       (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner", "Picture"].include?(thing_type))
       
       found_thing = find_thing(thing_type, thing_id)
       
@@ -504,6 +504,22 @@
             is_authorized = user_is_administrator?(user)
         end
 
+      when "Picture"
+
+        case action
+
+          when "view"
+            # owner can view all their pictures
+            return true if is_owner?(user_id, thing_instance)
+
+            # anyone can view a user's selected pictures
+            is_authorized = thing_instance.selected?
+
+          when "edit", "destroy"
+            # only the owner of a picture can edit/destroy
+            is_authorized = is_owner?(user_id, thing_instance)
+        end
+
       else
         # don't recognise the kind of "thing" that is being authorized, so
         # we don't specifically know that it needs to be blocked;
@@ -571,6 +587,8 @@
           found_instance = TavernaEnactor.find(thing_id)
         when "ContentType"
           found_instance = ContentType.find(thing_id)
+        when "Picture"
+          found_instance = Picture.find(thing_id)
       end
     rescue ActiveRecord::RecordNotFound
       # do nothing; makes sure that app won't crash when the required object is not found;
@@ -597,6 +615,8 @@
         is_authorized = (thing.user_id == user_id)
       when "Bookmark"
         is_authorized = (thing.user_id == user_id)
+      when "Picture"
+        is_authorized = (thing.user_id == user_id)
       #else
         # do nothing -- unknown "thing" types are not authorized by default 
     end

reply via email to

[Prev in Thread] Current Thread [Next in Thread]