scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-02-26 00:36:01 +08:00
Code Issues Projects Releases Packages Wiki Activity

Add permission check for results download

Browse source
This commit is contained in:
aignatov-bio 2021-09-20 14:25:07 +02:00
parent e874d7507b
commit 78098f2d8c
4 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
VERSION
View file

@ -1 +1 @@
1.22.4
1.22.4.1

2
app/controllers/result_assets_controller.rb
View file

@ -1,7 +1,7 @@
class ResultAssetsController < ApplicationController
include ResultsHelper
before_action :load_vars, only: [:edit, :update, :download]
before_action :load_vars, only: [:edit, :update]
before_action :load_vars_nested, only: [:new, :create]
before_action :check_manage_permissions, only: %i(new create edit update)

5
app/controllers/result_tables_controller.rb
View file

@ -7,6 +7,7 @@ class ResultTablesController < ApplicationController
before_action :check_manage_permissions, only: %i(new create edit update)
before_action :check_archive_permissions, only: [:update]
before_action :check_view_permissions, only: [:download]
def new
@table = Table.new
@ -155,6 +156,10 @@ class ResultTablesController < ApplicationController
end
end
def check_view_permissions
render_403 unless can_read_result?(@result)
end
def result_params
params.require(:result).permit(
:name, :archived,

5
app/controllers/result_texts_controller.rb
View file

@ -10,6 +10,7 @@ class ResultTextsController < ApplicationController
before_action :check_manage_permissions, only: %i(new create edit update)
before_action :check_archive_permissions, only: [:update]
before_action :check_view_permissions, only: [:download]
def new
@result = Result.new(
@ -159,6 +160,10 @@ class ResultTextsController < ApplicationController
end
end
def check_view_permissions
render_403 unless can_read_result?(@result)
end
def result_params
params.require(:result).permit(
:name, :archived,