mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-09-21 07:26:15 +08:00
fix user_project manage permission
This commit is contained in:
parent
b9ac110574
commit
75875e5421
|
@ -3,10 +3,11 @@ class UserProjectsController < ApplicationController
|
|||
include InputSanitizeHelper
|
||||
|
||||
before_action :load_vars
|
||||
before_action :load_up_var, only: %i(update destroy)
|
||||
before_action :check_view_permissions, only: :index
|
||||
before_action :check_manage_users_permissions, only: :index_edit
|
||||
before_action :check_create_permissions, only: :create
|
||||
before_action :check_manage_permisisons, only: %i(update destroy)
|
||||
before_action :check_manage_permissions, only: %i(update destroy)
|
||||
|
||||
def index
|
||||
@users = @project.user_projects
|
||||
|
@ -86,12 +87,6 @@ class UserProjectsController < ApplicationController
|
|||
end
|
||||
|
||||
def update
|
||||
@up = UserProject.find(params[:id])
|
||||
|
||||
unless @up
|
||||
render_404
|
||||
end
|
||||
|
||||
@up.role = up_params[:role]
|
||||
|
||||
if @up.save
|
||||
|
@ -168,16 +163,12 @@ class UserProjectsController < ApplicationController
|
|||
|
||||
def load_vars
|
||||
@project = Project.find_by_id(params[:project_id])
|
||||
unless @project
|
||||
render_404
|
||||
end
|
||||
render_404 unless @project
|
||||
end
|
||||
|
||||
if action_name == "destroy"
|
||||
@up = UserProject.find(params[:id])
|
||||
unless @up
|
||||
render_404
|
||||
end
|
||||
end
|
||||
def load_up_var
|
||||
@up = UserProject.find(params[:id])
|
||||
render_404 unless @up
|
||||
end
|
||||
|
||||
def check_view_permissions
|
||||
|
@ -192,9 +183,9 @@ class UserProjectsController < ApplicationController
|
|||
render_403 unless can_create_projects?(current_team)
|
||||
end
|
||||
|
||||
def check_manage_permisisons
|
||||
render_403 unless can_manage_project?(@project) ||
|
||||
params[:id] != current_user.id
|
||||
def check_manage_permissions
|
||||
render_403 unless can_manage_project?(@project) &&
|
||||
@up.user_id != current_user.id
|
||||
end
|
||||
|
||||
def init_gui
|
||||
|
|
Loading…
Reference in a new issue