Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/error_templates/show.html.slim
+++ b/app/views/error_templates/show.html.slim
@@ -3,7 +3,7 @@ h1
  = render('shared/edit_button', object: @error_template)

 = row(label: 'error_template.name', value: @error_template.name)
-= row(label: 'exercise.execution_environment', value: link_to(@error_template.execution_environment))
+= row(label: 'exercise.execution_environment', value: link_to_if(policy(@error_template.execution_environment).show?, @error_template.execution_environment))
 = row(label: "error_template.signature") do
  code = @error_template.signature
 - [:description, :hint].each do |attribute|
@@ -29,12 +29,13 @@ h2.mt-4
              span class="fa fa-star" aria-hidden="true"
            - else
              span class="fa fa-star-o" aria-hidden="true"
-          td = link_to(attribute.key, attribute)
+          td = link_to_if(policy(attribute).show?, attribute.key, attribute)
          td = attribute.description
          td
            code = attribute.regex
-          td = link_to(t('shared.show'), attribute)
-          td = link_to(t('shared.destroy'), attribute_error_template_url(:error_template_attribute_id => attribute.id), :method => :delete)
+          td = link_to(t('shared.show'), attribute) if policy(attribute).show?
+          td = link_to(t('shared.edit'), edit_error_template_attribute_path(attribute)) if policy(attribute).edit?
+          td = link_to(t('shared.destroy'), attribute_error_template_url(:error_template_attribute_id => attribute.id), :method => :delete) if policy(attribute).destroy?

 #add-attribute
  = collection_select({}, :error_template_attribute_id,