Refs #5865 @1h; Ensure user is allowed to duplicate a referential before doing so

I also changed the way 403 errors are handled, to properly respond with a 403 HTTP code
author: Zog 2018-02-08 16:27:52 +0100
committer: Luc Donnet 2018-02-21 11:23:28 +0100
commit: bcb9a2a7e915a1158427e16342dbaa700ce4ee5d (patch)
tree: 80e4134c7242953440c96a907f49c36450bc5d7e /app/controllers/referentials_controller.rb
parent: 6599a8d6a10e338fed38119115d12a3acb507e1b (diff)
download: chouette-core-bcb9a2a7e915a1158427e16342dbaa700ce4ee5d.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb
index 5267c15d8..6e3694547 100644
--- a/app/controllers/referentials_controller.rb
+++ b/app/controllers/referentials_controller.rb
@@ -7,6 +7,8 @@ class ReferentialsController < ChouetteController
   respond_to :json, :only => :show
   respond_to :js, :only => :show
 
+  before_action :check_cloning_source_is_accessible, only: %i(new create)
+
   def new
     new! do
       build_referential
@@ -175,6 +177,12 @@ class ReferentialsController < ChouetteController
     )
   end
 
+  def check_cloning_source_is_accessible
+    return unless params[:from]
+    source = Referential.find params[:from]
+    return user_not_authorized unless current_user.organisation.workgroups.include?(source.workbench.workgroup)
+  end
+
   def load_workbench
     @workbench ||= Workbench.find(params[:workbench_id]) if params[:workbench_id]
     @workbench ||= resource&.workbench if params[:id]
author	Zog	2018-02-08 16:27:52 +0100
committer	Luc Donnet	2018-02-21 11:23:28 +0100
commit	bcb9a2a7e915a1158427e16342dbaa700ce4ee5d (patch)
tree	80e4134c7242953440c96a907f49c36450bc5d7e /app/controllers/referentials_controller.rb
parent	6599a8d6a10e338fed38119115d12a3acb507e1b (diff)
download	chouette-core-bcb9a2a7e915a1158427e16342dbaa700ce4ee5d.tar.bz2