Add check file permissions to assets controller

SCI-502 #close
2025-10-06 03:46:39 +08:00 · 2016-09-27 18:14:19 +02:00 · 2016-09-27 18:14:19 +02:00 · e96e8486ea
commit e96e8486ea
parent 25c9ec67b3
2 changed files with 15 additions and 1 deletions
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -1,6 +1,7 @@
 class AssetsController < ApplicationController
  before_action :load_vars, except: [:signature]
  before_action :check_read_permission, except: [:signature, :file_present]
+  before_action :check_edit_permission, only: [ :edit ]

  # Validates asset and then generates S3 upload posts, because
  # otherwise untracked files could be uploaded to S3
@ -107,6 +108,18 @@ class AssetsController < ApplicationController
    end
  end

+  def check_edit_permission
+    if @assoc.class == Step
+      unless can_edit_step_in_protocol(@protocol)
+        render_403 and return
+      end
+    elsif @assoc.class == Result
+      unless can_edit_result_asset_in_module(@my_module)
+        render_403 and return
+      end
+    end
+  end
+
  def generate_upload_posts(asset)
    posts = []
    s3_post = S3_BUCKET.presigned_post(
--- a/app/views/steps/_step.html.erb
+++ b/app/views/steps/_step.html.erb
@ -76,7 +76,8 @@
                        <% if asset.can_perform_action("view") %>
                          <%= link_to "View", view_asset_url(id: asset) %>
                        <% end %>
-                        <% if asset.can_perform_action("edit") %>
+                        <% if can_edit_step_in_protocol(@protocol) &&
+                              asset.can_perform_action("edit") %>
                          <%= link_to "Edit", edit_asset_url(id: asset) %>
                        <% end %>
                      <% else %>