Modified: trunk/app/controllers/messages_controller.rb (3508 => 3509)
--- trunk/app/controllers/messages_controller.rb 2013-04-12 13:33:58 UTC (rev 3508)
+++ trunk/app/controllers/messages_controller.rb 2013-04-12 13:36:00 UTC (rev 3509)
@@ -6,8 +6,8 @@
class MessagesController < ApplicationController
before_filter :login_required
- before_filter :find_message_by_to_or_from, : [:show, :destroy]
- before_filter :find_reply_by_to, : [:new]
+ before_filter :find_and_auth_message, : [:show, :destroy]
+ before_filter :find_and_auth_reply, : :new
# declare sweepers and which actions should invoke them
cache_sweeper :message_sweeper, : [ :create, :show, :destroy, :delete_all_selected ]
@@ -240,20 +240,24 @@
protected
- def find_message_by_to_or_from
- begin
- @message = Message.find(params[:id], :conditions => ["`to` = ? OR `from` = ?", current_user.id, current_user.id])
- rescue ActiveRecord::RecordNotFound
+ def find_and_auth_message
+ action = "" == "show" ? "view" : action_name
+
+ @message = Message.find_by_id(params[:id])
+ if @message.nil?
render_404("Message not found.")
+ elsif !Authorization.check(action, @message, current_user)
+ render_401("You are not authorized to #{action} this message.")
end
end
-
- def find_reply_by_to
+
+ def find_and_auth_reply
if params[:reply_id]
- begin
- @reply = Message.find(params[:reply_id], :conditions => ["`to` = ?", current_user.id])
- rescue ActiveRecord::RecordNotFound
- render_404("Reply not found.")
+ @reply = Message.find_by_id(params[:reply_id])
+ if @reply.nil?
+ render_404("Original message not found.")
+ elsif !Authorization.check('view', @reply, current_user)
+ render_401("You are not authorized to reply to this message.")
end
end
end
Modified: trunk/lib/authorization.rb (3508 => 3509)
--- trunk/lib/authorization.rb 2013-04-12 13:33:58 UTC (rev 3508)
+++ trunk/lib/authorization.rb 2013-04-12 13:36:00 UTC (rev 3509)
@@ -339,6 +339,13 @@
end
+ when "Message"
+ case action
+ when "view"
+ return object.to == user.id || object.from == user.id
+ when "destroy"
+ return object.to == user.id
+ end
else
# don't recognise the kind of object that is being authorized, so
# we don't specifically know that it needs to be blocked;