Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/proxy_exercises/show.html.slim
+++ b/app/views/proxy_exercises/show.html.slim
@@ -7,8 +7,7 @@

 h1
  = @proxy_exercise.title
-  - if policy(@proxy_exercise).edit?
-    = render('shared/edit_button', object: @proxy_exercise)
+  = render('shared/edit_button', object: @proxy_exercise)

 = row(label: 'exercise.title', value: @proxy_exercise.title)
 = row(label: 'proxy_exercise.files_count', value: @exercises.count)
@@ -24,5 +23,5 @@ h2.mt-4 Exercises
        th = sort_link(@search, :created_at, t('shared.created_at'))
    - @proxy_exercise.exercises.each do |exercise|
      tr
-        td = link_to(exercise.title, exercise)
+        td = link_to_if(policy(exercise).show?, exercise.title, exercise)
        td = l(exercise.created_at, format: :short)