From 7f9386180db2df94400bc83e814016081a6e2ecb Mon Sep 17 00:00:00 2001 From: z9han Date: Mon, 15 Dec 2014 16:53:20 +0800 Subject: [PATCH] =?UTF-8?q?=E9=83=A8=E5=88=86=E6=8E=A5=E5=8F=A3=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0=E6=9D=83=E9=99=90=E9=AA=8C=E8=AF=81=E6=8E=A5=E5=8F=A3?= =?UTF-8?q?=E3=80=81=E6=96=B0=E9=97=BB=E8=AF=A6=E6=83=85=E5=8F=8A=E5=AF=B9?= =?UTF-8?q?=E5=BA=94=E8=AF=84=E8=AE=BA=E6=8E=A5=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/api/mobile/apis/courses.rb | 4 +++- app/controllers/news_controller.rb | 6 ++++-- app/services/courses_service.rb | 33 +++++++++++++++++++++++++----- app/services/users_service.rb | 1 + 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/app/api/mobile/apis/courses.rb b/app/api/mobile/apis/courses.rb index 1b863cd22..21fec6241 100644 --- a/app/api/mobile/apis/courses.rb +++ b/app/api/mobile/apis/courses.rb @@ -95,7 +95,9 @@ module Mobile end route_param :id do get do - course = Course.find(params[:id]) + cs = CoursesService.new + course = cs.show_course params,current_user + #course = Course.find(params[:id]) {status: 0, data: course} end end diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb index f1d97cbe7..868540b64 100644 --- a/app/controllers/news_controller.rb +++ b/app/controllers/news_controller.rb @@ -87,8 +87,10 @@ class NewsController < ApplicationController end def show - @comments = @news.comments - @comments.reverse! if User.current.wants_comments_in_reverse_order? + cs = CoursesService.new + @news,@comments = cs.show_course_news params,User.current + #@comments = @news.comments + #@comments.reverse! if User.current.wants_comments_in_reverse_order? #modify by nwb if @news.course_id @course = Course.find(@news.course_id) diff --git a/app/services/courses_service.rb b/app/services/courses_service.rb index bb36f3cb3..09e4289b5 100644 --- a/app/services/courses_service.rb +++ b/app/services/courses_service.rb @@ -83,13 +83,29 @@ class CoursesService scope = @course ? @course.news.course_visible : News.course_visible end - #显示课程通知 - def show_course_news - + #查看新闻权限验证 + def show_course_news_authorize(current_user,course) + unless current_user.allowed_to?({:controller => 'news', :action => 'show'}, course) + raise '403' + end end - def show_course params + #显示课程通知(包括评论) 需验证权限 + def show_course_news params,current_user + @news = News.find(params[:id]) + @comments = @news.comments + @comments.reverse! if current_user.wants_comments_in_reverse_order? + [@news,@comments] + end + + + + #显示课程 + def show_course(params,currnet_user) course = Course.find(params[:id]) + unless (course.is_public == 1 || currnet_user.member_of_course?(@course)|| currnet_user.admin?) + raise '403' + end course end @@ -128,7 +144,14 @@ class CoursesService @course end - #编辑课程 + #验证编辑课程的权限 + def edit_course_authorize(current_user,course) + unless current_user.allowed_to?({:controller => 'courses', :action => 'update'}, course) + raise '403' + end + end + + #编辑课程 需验证权限 def edit_course params,course course.safe_attributes = params[:course] course.time = params[:time] diff --git a/app/services/users_service.rb b/app/services/users_service.rb index d281edb19..928ae99ad 100644 --- a/app/services/users_service.rb +++ b/app/services/users_service.rb @@ -59,6 +59,7 @@ class UsersService end #编辑用户 + #gender 1:female 0:male 其他:male def edit_user params @user = User.find(params[:id]) fileio = params[:file]