Added additional permission checks for moving tasks. Added forgotten enclosing tag in a view.

2024-12-28 11:14:24 +08:00 · 2018-02-09 18:02:04 +01:00 · 2018-02-09 18:02:04 +01:00 · d55734e501
commit d55734e501
parent d7108f5a35
3 changed files with 6 additions and 2 deletions
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@ -129,7 +129,10 @@ class CanvasController < ApplicationController
                 id.is_a?(String) &&
                 can_manage_module?(MyModule.find_by_id(id))
               end &&
-               to_move.values.all? { |k| k.is_a? String }
+               to_move.values.all? do |exp_id|
+                 exp_id.is_a?(String) &&
+                 can_manage_experiment?(Experiment.find_by_id(exp_id))
+               end
          return render_403
        end
      rescue
--- a/app/views/canvas/edit/_my_module.html.erb
+++ b/app/views/canvas/edit/_my_module.html.erb
@ -33,6 +33,7 @@
          <li>
            <a class="move-module" href="" data-module-id="<%= my_module.id %>"><%=t "experiments.canvas.edit.move_module" %></a>
          </li>
+        <% end %>
        <% if my_module.my_module_group && my_module.my_module_group.my_modules.all? { |my_module| can_manage_module?(my_module) } %>
          <li>
            <a class="move-module-group" href="" data-module-id="<%= my_module.id %>"><%=t "experiments.canvas.edit.move_module_group" %></a>
--- a/app/views/canvas/edit/modal/_move_module.html.erb
+++ b/app/views/canvas/edit/modal/_move_module.html.erb
@ -10,7 +10,7 @@
        <% if experiments.count > 1 %>
          <%= bootstrap_form_tag do |f| %>
            <%= f.select :experiment_id, experiments
-                                        .select { |e| e != @experiment }
+                                        .select { |e| e != @experiment && can_manage_experiment?(e) }
                                        .collect { |e| [ e.name, e.id ] }, {},
                {class: "form-control selectpicker", "data-role" => "clear"} %>
          <% end %>