From f0b6c33217dc37c21b8a0a8465a5f84156bb585f Mon Sep 17 00:00:00 2001 From: yanxd Date: Tue, 26 Nov 2013 16:55:46 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=B8=80=E4=BA=9B=E5=88=A0?= =?UTF-8?q?=E9=99=A4=E6=9D=83=E9=99=90=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/controllers/memos_controller.rb | 13 +++++++++++++ app/models/memo.rb | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/app/controllers/memos_controller.rb b/app/controllers/memos_controller.rb index 71c96a06e..d44be19b4 100644 --- a/app/controllers/memos_controller.rb +++ b/app/controllers/memos_controller.rb @@ -3,6 +3,8 @@ class MemosController < ApplicationController before_filter :find_forum, :only => [:new, :preview] before_filter :find_attachments, :only => [:preview] before_filter :find_memo, :except => [:new, :create , :preview, :update] + before_filter :authenticate_user_edit, :only => [:edit, :update] + before_filter :authenticate_user_destroy, :only => [:destroy] helper :attachments include AttachmentsHelper @@ -144,4 +146,15 @@ class MemosController < ApplicationController render_404 nil end + + def authenticate_user_edit + find_memo + render_403 unless @memo.editable_by? User.current + end + + def authenticate_user_destroy + find_memo + render_403 unless @memo.destroyable_by? User.current + + end end diff --git a/app/models/memo.rb b/app/models/memo.rb index 532669a4b..0c1f7032e 100644 --- a/app/models/memo.rb +++ b/app/models/memo.rb @@ -85,11 +85,11 @@ class Memo < ActiveRecord::Base def editable_by? user # user && user.logged? || (self.author == usr && usr.allowed_to?(:edit_own_messages, project)) - (user && self.author == user && !self.lock || user.admin?) && true + user.admin? end def destroyable_by? user - user.admin? + user && user.logged? && Forum.find(self.forum_id).creator_id == user.id || user.admin? #self.author == user || user.admin? end