scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-11-08 15:31:02 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix permissions check for steps completion in the API [SCI-6275]

Browse source
This commit is contained in:
Oleksii Kriuchykhin 2021-11-17 21:25:31 +01:00
parent 57de414284
commit b35c283cc5
2 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/api/v1/steps_controller.rb
View file

@ -77,8 +77,12 @@ module Api
def load_step_for_managing def load_step_for_managing
@step = @protocol.steps.find(params.require(:id)) @step = @protocol.steps.find(params.require(:id))
if step_params.key?(:completed) && step_params.except(:completed).blank?
raise PermissionError.new(Step, :toggle_completion) unless can_complete_or_checkbox_step?(@step.protocol)
else
raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol) raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
end end
end
def log_activity(type_of, message_items = {}) def log_activity(type_of, message_items = {})
default_items = { step: @step.id, step_position: { id: @step.id, value_for: 'position_plus_one' } } default_items = { step: @step.id, step_position: { id: @step.id, value_for: 'position_plus_one' } }

3
config/locales/en.yml
View file

@ -2708,6 +2708,9 @@ en:
manage_permission: manage_permission:
title: "Permission denied" title: "Permission denied"
detail: "You don't have permission to manage %{model}" detail: "You don't have permission to manage %{model}"
toggle_completion_permission:
title: "Permission denied"
detail: "You don't have permission to toggle %{model} completion"
read_users_permission: read_users_permission:
title: "Permission denied" title: "Permission denied"
detail: "You don't have permission to read users on %{model}" detail: "You don't have permission to read users on %{model}"