diff --git a/app/permissions/asset.rb b/app/permissions/asset.rb index 0ecbc4095..7bf9821e8 100644 --- a/app/permissions/asset.rb +++ b/app/permissions/asset.rb @@ -22,7 +22,7 @@ Canaid::Permissions.register_for(Asset) do when Step can_manage_step?(user, object) when Result - can_manage_result?(object) + can_manage_result?(user, object) when RepositoryCell if object.repository_column.repository.is_a?(RepositorySnapshot) false diff --git a/app/serializers/asset_serializer.rb b/app/serializers/asset_serializer.rb index decf3bf29..8e40960d4 100644 --- a/app/serializers/asset_serializer.rb +++ b/app/serializers/asset_serializer.rb @@ -104,7 +104,6 @@ class AssetSerializer < ActiveModel::Serializer end def urls - @user = scope[:user] || @instance_options[:user] urls = { preview: asset_file_preview_path(object), download: rails_blob_path(object.file, disposition: 'attachment'), @@ -113,7 +112,8 @@ class AssetSerializer < ActiveModel::Serializer marvin_js: marvin_js_asset_path(object), marvin_js_icon: image_path('icon_small/marvinjs.svg') } - if can_manage_asset?(@user, object) + user = scope[:user] || @instance_options[:user] + if can_manage_asset?(user, object) urls.merge!( toggle_view_mode: toggle_view_mode_path(object), edit_asset: edit_asset_path(object), @@ -122,9 +122,7 @@ class AssetSerializer < ActiveModel::Serializer delete: asset_destroy_path(object) ) end - if wopi && can_manage_asset?(@user, object) - urls[:wopi_action] = object.get_action_url(@user, 'embedview') - end + urls[:wopi_action] = object.get_action_url(user, 'embedview') if wopi && can_manage_asset?(user, object) urls[:blob] = rails_blob_path(object.file, disposition: 'attachment') if object.file.attached? urls