下载添加权限判断

app/controllers/attachments_controller.rb

@@ -50,19 +50,39 @@ class AttachmentsController < ApplicationController
   end
 
   def download
-    if true || @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
-      @attachment.increment_download
+    # modify by nwb
+    # 下载添加权限设置
+    candown = false
+    if @attachment.container.has_attribute?(:project) && @attachment.container.project
+      project = @attachment.container.project
+      candown= User.current.member_of?(project)
+    elsif  @attachment.container.is_a?(Project)
+      project = @attachment.container
+      candown= User.current.member_of?(project)
+    elsif @attachment.container.has_attribute?(:course) && @attachment.container.course
+      course = @attachment.container.course
+      candown= User.current.member_of_course?(course)
+    elsif @attachment.container.is_a?(Course)
+      course = @attachment.container
+      candown= User.current.member_of_course?(course)
+    elsif @attachment.container.class.to_s=="HomeworkAttach" && @attachment.container.bid.reward_type == 3
+      candown = true
     end
+    if candown || User.current.admin?
+      @attachment.increment_download
+    else
+      render_403 :message => :notice_not_authorized
+    end
+
 
     if stale?(:etag => @attachment.digest)
       # images are sent inline
       send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
-                                      :type => detect_content_type(@attachment),
-                                      :disposition => (@attachment.image? ? 'inline' : 'attachment')
+                :type => detect_content_type(@attachment),
+                :disposition => (@attachment.image? ? 'inline' : 'attachment')
     end
   rescue => e
     redirect_to "http://" + (Setting.host_name.to_s) +"/file_not_found.html"
-    return
   end
 
   #更新资源文件类型