Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/external_users/index.html.slim
+++ b/app/views/external_users/index.html.slim
@@ -10,8 +10,8 @@ h1 = ExternalUser.model_name.human(count: 2)
    tbody
      - @users.each do |user|
        tr
-          td = user.name
-          td = link_to(user.consumer, user.consumer)
-          td = link_to(t('shared.show'), user)
+          td = link_to_if(policy(user).show?, user.name)
+          td = link_to_if(policy(user.consumer).show?, user.consumer, user.consumer)
+          td = link_to(t('shared.show'), user) if policy(user).show?

 = render('shared/pagination', collection: @users)
--- a/app/views/external_users/show.html.slim
+++ b/app/views/external_users/show.html.slim
@@ -5,7 +5,7 @@ h1 = @user.name
 = row(label: 'external_user.consumer', value: link_to(@user.consumer, @user.consumer))
 = row(label: 'external_user.role', value: t("users.roles.#{@user.role}"))

-h4.mt-4 = link_to(t('.exercise_statistics'), statistics_external_user_path(@user))
+h4.mt-4 = link_to(t('.exercise_statistics'), statistics_external_user_path(@user)) if policy(@user).statistics?

 h4.mt-4 = t('.tag_statistics')
 #loading
--- a/app/views/external_users/statistics.html.slim
+++ b/app/views/external_users/statistics.html.slim
@@ -13,7 +13,7 @@ h1 = t('.title')
        - if statistics[exercise.id]
          - stats = statistics[exercise.id]
          tr
-            td = link_to exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
+            td = link_to_if policy(exercise).show?, exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
            td = stats["maximum_score"] or 0
            td = stats["runs"] or 0
            td = stats["working_time"] or 0