Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/execution_environments/show.html.slim
+++ b/app/views/execution_environments/show.html.slim
@@ -3,7 +3,7 @@ h1
  = render('shared/edit_button', object: @execution_environment)

 = row(label: 'execution_environment.name', value: @execution_environment.name)
-= row(label: 'execution_environment.user', value: link_to(@execution_environment.author, @execution_environment.author))
+= row(label: 'execution_environment.user', value: link_to_if(policy(@execution_environment.author).show?, @execution_environment.author, @execution_environment.author))
 = row(label: 'execution_environment.file_type', value: @execution_environment.file_type.present? ? link_to(@execution_environment.file_type, @execution_environment.file_type) : nil)
 - [:docker_image, :exposed_ports, :memory_limit, :network_enabled, :permitted_execution_time, :pool_size].each do |attribute|
  = row(label: "execution_environment.#{attribute}", value: @execution_environment.send(attribute))
--- a/app/views/execution_environments/statistics.html.slim
+++ b/app/views/execution_environments/statistics.html.slim
@@ -14,7 +14,7 @@ h1 = @execution_environment
        - if wts then average_time = wts["average_time"] else 0
        - if wts then stddev_time = wts["stddev_time"] else 0
        tr
-          td = link_to exercise.title, controller: "exercises", action: "statistics", id: exercise.id, 'data-turbolinks' => "false"
+          td = link_to_if policy(exercise).show?, exercise.title, controller: "exercises", action: "statistics", id: exercise.id, 'data-turbolinks' => "false"
          td = us["users"]
          td = us["average_score"].to_f.round(4)
          td = us["maximum_score"].to_f.round(2)