#1293修复用户可以通过课程实践页面url进入加入私有课程界面的BUG

解决方案：加入课程按钮增加权限判断；课程实践界面增加权限判断
2014-10-08 10:48:10 +08:00 · 2014-10-08 10:48:10 +08:00 · 8ac2640a09
parent b6551f8955
commit 8ac2640a09
3 changed files with 19 additions and 16 deletions
--- a/app/controllers/courses_controller.rb
+++ b/app/controllers/courses_controller.rb
@ -470,23 +470,27 @@ class CoursesController < ApplicationController
  end

  def homework
-    @offset, @limit = api_offset_and_limit({:limit => 10})
-    @bids = @course.homeworks.order('deadline DESC')
-    @bids = @bids.like(params[:name]) if params[:name].present?
-    @bid_count = @bids.count
-    @bid_pages = Paginator.new @bid_count, @limit, params['page']
-
-    @offset ||= @bid_pages.reverse_offset
-    unless @offset == 0
-      @bids = @bids.offset(@offset).limit(@limit).all.reverse
+    if @course.is_public == 0
+      render_403
    else
-      limit = @bid_count % @limit
-      if limit == 0
-        limit = 10
+      @offset, @limit = api_offset_and_limit({:limit => 10})
+      @bids = @course.homeworks.order('deadline DESC')
+      @bids = @bids.like(params[:name]) if params[:name].present?
+      @bid_count = @bids.count
+      @bid_pages = Paginator.new @bid_count, @limit, params['page']
+
+      @offset ||= @bid_pages.reverse_offset
+      unless @offset == 0
+        @bids = @bids.offset(@offset).limit(@limit).all.reverse
+      else
+        limit = @bid_count % @limit
+        if limit == 0
+          limit = 10
+        end
+        @bids = @bids.offset(@offset).limit(limit).all.reverse
      end
-      @bids = @bids.offset(@offset).limit(limit).all.reverse
+      render :layout => 'base_courses'
    end
-    render :layout => 'base_courses'
   end

  # 新建作业
--- a/app/helpers/watchers_helper.rb
+++ b/app/helpers/watchers_helper.rb
@ -97,7 +97,7 @@ module WatchersHelper
    return '' unless user && user.logged?
    # modify by nwb
    # 主讲教师不允许退出课程
-    return '' if user.id == course.tea_id
+    return '' if user.id == course.tea_id || course.is_public == 0
    joined = user.member_of_course?(course)
    text = joined ? l(:label_exit_course) : l(:label_join_course)
    url_t = join_path(:object_id => course.id)
--- a/app/views/layouts/base_courses.html.erb
+++ b/app/views/layouts/base_courses.html.erb
@ -78,7 +78,6 @@
                            <%= link_to l(:label_course_modify_settings), {:controller => 'courses', :action => 'settings', :id => @course} %>
                            <%= render :partial => 'courses/set_course_time', :locals => {:course => @course} %>
                        <% else %>
-
                            <%= join_in_course(@course, User.current) %>
                        <% end %>
                        <% unless User.current.member_of_course?(@course) %>