增加访问权限控制

app/controllers/poll_controller.rb

@@ -1,9 +1,12 @@
 class PollController < ApplicationController
   before_filter :find_poll_and_course, :only => [:edit,:update,:destroy]
   before_filter :find_container, :only => [:new,:create, :index]
+  before_filter :is_member_of_course, :only => [:index,:show]
+  before_filter :is_course_teacher, :only => [:new,:create,:edit,:update,:destroy]
 
   def index
     if @course
+      @is_teacher = User.current.allowed_to?(:as_teacher,course)
       @polls = Poll.where("polls_type = 'Course' and polls_group_id = #{@course.id}")
       respond_to do |format|
         format.html{render :layout => 'base_courses'}
@@ -86,4 +89,12 @@ class PollController < ApplicationController
       render_404
     end
   end
+
+  def is_member_of_course
+    render_403 unless(@course && User.current.member_of_course?(@course))
+  end
+
+  def is_course_teacher
+    render_403 unless(@course && User.current.allowed_to?(:as_teacher,course))
+  end
 end

app/views/poll/destroy.js.erb

@@ -1,4 +1,4 @@
 <% if @poll%>
     $("#polls_<%= @poll.id%>").remove();
 <%else%>
-<% end %>
+<% end %>