Modified: trunk/app/controllers/oauth_controller.rb (2674 => 2675)
--- trunk/app/controllers/oauth_controller.rb 2011-08-15 10:07:00 UTC (rev 2674)
+++ trunk/app/controllers/oauth_controller.rb 2011-08-15 13:35:51 UTC (rev 2675)
@@ -1,5 +1,6 @@
class OauthController < ApplicationController
before_filter :login_required,:except=>[:request_token,:access_token,:test_request]
+ before_filter :find_client_application_auth, : :edit, :update, :destroy]
before_filter :login_or_oauth_required,:
before_filter :verify_oauth_consumer_signature, :
before_filter :verify_oauth_request_token, :
@@ -107,7 +108,6 @@
end
def show
- @client_application=ClientApplication.find(params[:id])
if (!(@client_application.user_id == current_user.id or @client_application.creator_id == current_user.id))
@client_application = nil
end
@@ -117,7 +117,6 @@
def edit
@permissions = TABLES['REST'][:data]
@address@hidden
- @client_application=ClientApplication.find(params[:id])
if (!(@client_application.user_id == current_user.id or @client_application.creator_id == current_user.id))
@client_application = nil
end
@@ -128,10 +127,6 @@
end
def update
- @client_application=ClientApplication.find(params[:client_application][:id])
- if (!(@client_application.user_id == current_user.id or @client_application.creator_id == current_user.id))
- @client_application = nil
- end
if (current_user.admin? or @client_application.key_type=="User")
@client_application.permissions.delete_all
if params[:key_permissions]
@@ -150,11 +145,39 @@
end
def destroy
- @client_application=current_user.client_applications.find(params[:id])
address@hidden
@client_application.destroy
flash[:notice]="Registration for Client Application '#{client_application_name}' has been removed!"
redirect_to :action=""
end
-
+
+private
+
+ def find_client_application_auth
+ if action_name == 'update'
+ id = params[:client_application][:id]
+ else
+ id = params[:id]
+ end
+ begin
+ client_app=ClientApplication.find(id)
+ if Authorization.is_authorized?(action_name, nil, client_app, current_user)
+ @client_application = client_app
+ else
+ error("Client Application not found (id not authorized)", "is invalid (not authorized)")
+ return false
+ end
+ rescue ActiveRecord::RecordNotFound
+ error("Client Application not found", "is invalid")
+ return false
+ end
+ end
+
+ def error(notice, message, attr=:id)
+ flash[:error] = notice
+
+ respond_to do |format|
+ format.html { redirect_to oauth_url }
+ end
+ end
end
Modified: trunk/lib/authorization.rb (2674 => 2675)
--- trunk/lib/authorization.rb 2011-08-15 10:07:00 UTC (rev 2674)
+++ trunk/lib/authorization.rb 2011-08-15 13:35:51 UTC (rev 2675)
@@ -299,7 +299,7 @@
# this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
# and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
if (thing_contribution.nil? && ["Workflow", "Blog", "Blob", "Pack", "Contribution"].include?(thing_type)) ||
- (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner", "Picture"].include?(thing_type))
+ (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner", "Picture", "ClientApplication"].include?(thing_type))
found_thing = find_thing(thing_type, thing_id)
@@ -520,6 +520,10 @@
is_authorized = is_owner?(user_id, thing_instance)
end
+ when "ClientApplication"
+
+ is_authorized = is_owner?(user_id, thing_instance)
+
else
# don't recognise the kind of "thing" that is being authorized, so
# we don't specifically know that it needs to be blocked;
@@ -589,6 +593,8 @@
found_instance = ContentType.find(thing_id)
when "Picture"
found_instance = Picture.find(thing_id)
+ when "ClientApplication"
+ found_instance = ClientApplication.find(thing_id)
end
rescue ActiveRecord::RecordNotFound
# do nothing; makes sure that app won't crash when the required object is not found;
@@ -617,6 +623,8 @@
is_authorized = (thing.user_id == user_id)
when "Picture"
is_authorized = (thing.user_id == user_id)
+ when "ClientApplication"
+ is_authorized = (thing.user_id == user_id)
#else
# do nothing -- unknown "thing" types are not authorized by default
end