scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-04-29 17:27:31 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix permissions check for steps completion in the API [SCI-6275]

Browse source
This commit is contained in:
Oleksii Kriuchykhin 2021-11-17 21:25:31 +01:00
parent 57de414284
commit b35c283cc5
2 changed files with 8 additions and 1 deletions
app/controllers/api/v1
steps_controller.rb
config/locales
en.yml

6
app/controllers/api/v1/steps_controller.rb
View file

@ -77,7 +77,11 @@ module Api
def load_step_for_managing
@step = @protocol.steps.find(params.require(:id))
raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
if step_params.key?(:completed) && step_params.except(:completed).blank?
raise PermissionError.new(Step, :toggle_completion) unless can_complete_or_checkbox_step?(@step.protocol)
else
raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
end
end
def log_activity(type_of, message_items = {})

3
config/locales/en.yml
View file

@ -2708,6 +2708,9 @@ en:
manage_permission:
title: "Permission denied"
detail: "You don't have permission to manage %{model}"
toggle_completion_permission:
title: "Permission denied"
detail: "You don't have permission to toggle %{model} completion"
read_users_permission:
title: "Permission denied"
detail: "You don't have permission to read users on %{model}"