Modified: trunk/lib/authorization.rb (2199 => 2200)
--- trunk/lib/authorization.rb 2009-05-27 13:58:01 UTC (rev 2199)
+++ trunk/lib/authorization.rb 2009-05-27 14:16:42 UTC (rev 2200)
@@ -141,7 +141,7 @@
# OR
# -- Network instance
# -- Experiment / Job / Runner / TavernaEnactor instance
- # -- Comment
+ # -- Comment / Bookmark
# -- or any other object instance, for which we'll use the object itself to run .authorized?() on it
thing_instance = thing
thing_type = thing.class.name
@@ -172,7 +172,7 @@
# this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
# and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
if (thing_contribution.nil? && ["Workflow", "Blog", "Blob", "Pack", "Contribution"].include?(thing_type)) ||
- (thing_instance.nil? && ["Network", "Comment", "Experiment", "Job", "TavernaEnactor", "Runner"].include?(thing_type))
+ (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner"].include?(thing_type))
found_thing = find_thing(thing_type, thing_id)
@@ -304,6 +304,20 @@
is_authorized = false
end
+ when "Bookmark"
+ case action
+ when "destroy"
+ # only the user who created the bookmark can delete it
+ is_authorized = Authorization.is_owner?(user_id, thing_instance)
+ when "view"
+ # everyone can view bookmarks
+ is_authorized = true
+
+ else
+ # 'edit' or any other actions are not allowed on comments
+ is_authorized = false
+ end
+
when "Experiment"
user_instance = get_user(user_id) unless user_instance
@@ -379,6 +393,8 @@
found_instance = Network.find(thing_id)
when "Comment"
found_instance = Comment.find(thing_id)
+ when "Bookmark"
+ found_instance = Bookmark.find(thing_id)
when "Experiment"
found_instance = Experiment.find(thing_id)
when "Job"
@@ -412,6 +428,8 @@
end
when "Comment"
is_authorized = (thing.user_id == user_id)
+ when "Bookmark"
+ is_authorized = (thing.user_id == user_id)
#else
# do nothing -- unknown "thing" types are not authorized by default
end