diff options
| author | Luc Donnet | 2018-03-02 11:15:23 +0100 |
|---|---|---|
| committer | GitHub | 2018-03-02 11:15:23 +0100 |
| commit | a6de378529be7ca51ba2d1d7a8f03df263f3d2a8 (patch) | |
| tree | 2be36e14e00afed1d934de285f7c0e412fb6b78a /app | |
| parent | f6f29efdac828a8d44130868215307daa1ab07c3 (diff) | |
| parent | 63ab2c81b292fe18c28f9f22232ad3cb712a9717 (diff) | |
| download | chouette-core-a6de378529be7ca51ba2d1d7a8f03df263f3d2a8.tar.bz2 | |
Merge pull request #295 from af83/5865-validate-referential-cloning
5865 Ensure user is allowed to duplicate a referential
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/application_controller.rb | 2 | ||||
| -rw-r--r-- | app/controllers/referentials_controller.rb | 8 | ||||
| -rw-r--r-- | app/models/organisation.rb | 2 |
3 files changed, 11 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 45b7f55f6..c4961123d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base protected def user_not_authorized - redirect_to forbidden_path + render 'errors/forbidden', status: 403 end def current_organisation diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb index 5267c15d8..6e3694547 100644 --- a/app/controllers/referentials_controller.rb +++ b/app/controllers/referentials_controller.rb @@ -7,6 +7,8 @@ class ReferentialsController < ChouetteController respond_to :json, :only => :show respond_to :js, :only => :show + before_action :check_cloning_source_is_accessible, only: %i(new create) + def new new! do build_referential @@ -175,6 +177,12 @@ class ReferentialsController < ChouetteController ) end + def check_cloning_source_is_accessible + return unless params[:from] + source = Referential.find params[:from] + return user_not_authorized unless current_user.organisation.workgroups.include?(source.workbench.workgroup) + end + def load_workbench @workbench ||= Workbench.find(params[:workbench_id]) if params[:workbench_id] @workbench ||= resource&.workbench if params[:id] diff --git a/app/models/organisation.rb b/app/models/organisation.rb index e8fb4e060..745bc0d22 100644 --- a/app/models/organisation.rb +++ b/app/models/organisation.rb @@ -13,6 +13,8 @@ class Organisation < ActiveRecord::Base has_many :line_referentials, through: :line_referential_memberships has_many :workbenches + has_many :workgroups, through: :workbenches + has_many :calendars has_many :api_keys, class_name: 'Api::V1::ApiKey' |