#1293修复用户可以通过课程实践页面url进入加入私有课程界面的BUG

解决方案：加入课程按钮增加权限判断；课程实践界面增加权限判断
2014-10-08 10:48:10 +08:00 · 2014-10-08 10:48:10 +08:00 · 8ac2640a09
parent b6551f8955
commit 8ac2640a09
3 changed files with 19 additions and 16 deletions
--- a/app/controllers/courses_controller.rb
+++ b/app/controllers/courses_controller.rb
@ -470,6 +470,9 @@ class CoursesController < ApplicationController
  end

  def homework
+    if @course.is_public == 0
+      render_403
+    else
      @offset, @limit = api_offset_and_limit({:limit => 10})
      @bids = @course.homeworks.order('deadline DESC')
      @bids = @bids.like(params[:name]) if params[:name].present?
@ -488,6 +491,7 @@ class CoursesController < ApplicationController
      end
      render :layout => 'base_courses'
    end
+   end

  # 新建作业
  def new_homework
--- a/app/helpers/watchers_helper.rb
+++ b/app/helpers/watchers_helper.rb
@ -97,7 +97,7 @@ module WatchersHelper
    return '' unless user && user.logged?
    # modify by nwb
    # 主讲教师不允许退出课程
-    return '' if user.id == course.tea_id
+    return '' if user.id == course.tea_id || course.is_public == 0
    joined = user.member_of_course?(course)
    text = joined ? l(:label_exit_course) : l(:label_join_course)
    url_t = join_path(:object_id => course.id)
--- a/app/views/layouts/base_courses.html.erb
+++ b/app/views/layouts/base_courses.html.erb
@ -78,7 +78,6 @@
                            <%= link_to l(:label_course_modify_settings), {:controller => 'courses', :action => 'settings', :id => @course} %>
                            <%= render :partial => 'courses/set_course_time', :locals => {:course => @course} %>
                        <% else %>
-
                            <%= join_in_course(@course, User.current) %>
                        <% end %>
                        <% unless User.current.member_of_course?(@course) %>