[myexperiment-hackers] [3509] trunk: Changed authorization for messages

[noreply]

Revision

3509

Author

fbacall

Date

2013-04-12 13:36:00 +0000 (Fri, 12 Apr 2013)

Log Message

Changed authorization for messages

Modified Paths

• trunk/app/controllers/messages_controller.rb
• trunk/lib/authorization.rb

Diff

Modified: trunk/app/controllers/messages_controller.rb (3508 => 3509)

--- trunk/app/controllers/messages_controller.rb	2013-04-12 13:33:58 UTC (rev 3508)
+++ trunk/app/controllers/messages_controller.rb	2013-04-12 13:36:00 UTC (rev 3509)
@@ -6,8 +6,8 @@
 class MessagesController < ApplicationController
   before_filter :login_required
   
-  before_filter :find_message_by_to_or_from, : [:show, :destroy]
-  before_filter :find_reply_by_to, : [:new]
+  before_filter :find_and_auth_message, : [:show, :destroy]
+  before_filter :find_and_auth_reply, : :new
 
   # declare sweepers and which actions should invoke them
   cache_sweeper :message_sweeper, : [ :create, :show, :destroy, :delete_all_selected ]
@@ -240,20 +240,24 @@
   
 protected
 
-  def find_message_by_to_or_from
-    begin
-      @message = Message.find(params[:id], :conditions => ["`to` = ? OR `from` = ?", current_user.id, current_user.id])
-    rescue ActiveRecord::RecordNotFound
+  def find_and_auth_message
+    action = "" == "show" ? "view" : action_name
+
+    @message = Message.find_by_id(params[:id])
+    if @message.nil?
       render_404("Message not found.")
+    elsif !Authorization.check(action, @message, current_user)
+      render_401("You are not authorized to #{action} this message.")
     end
   end
-  
-  def find_reply_by_to
+
+  def find_and_auth_reply
     if params[:reply_id]
-      begin
-        @reply = Message.find(params[:reply_id], :conditions => ["`to` = ?", current_user.id])
-      rescue ActiveRecord::RecordNotFound
-        render_404("Reply not found.")
+      @reply = Message.find_by_id(params[:reply_id])
+      if @reply.nil?
+        render_404("Original message not found.")
+      elsif !Authorization.check('view', @reply, current_user)
+        render_401("You are not authorized to reply to this message.")
       end
     end
   end

Modified: trunk/lib/authorization.rb (3508 => 3509)

--- trunk/lib/authorization.rb	2013-04-12 13:33:58 UTC (rev 3508)
+++ trunk/lib/authorization.rb	2013-04-12 13:36:00 UTC (rev 3509)
@@ -339,6 +339,13 @@
 
         end
 
+      when "Message"
+        case action
+          when "view"
+            return object.to == user.id || object.from == user.id
+          when "destroy"
+            return object.to == user.id
+        end
       else
         # don't recognise the kind of object that is being authorized, so
         # we don't specifically know that it needs to be blocked;