Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/request_for_comments/_admin_menu.html.slim
+++ b/app/views/request_for_comments/_admin_menu.html.slim
@@ -1,8 +1,8 @@
 hr
 h5.mt-4 Admin Menu
 ul.text
-  li = link_to "User's current status of this exercise", statistics_external_user_exercise_path(id: @request_for_comment.exercise_id, external_user_id: @request_for_comment.user_id)
-  li = link_to "All exercises of this user", statistics_external_user_path(id: @request_for_comment.user_id)
+  li = link_to "User's current status of this exercise", statistics_external_user_exercise_path(id: @request_for_comment.exercise_id, external_user_id: @request_for_comment.user_id) if policy(@request_for_comment.exercise).statistics?
+  li = link_to "All exercises of this user", statistics_external_user_path(id: @request_for_comment.user_id) if policy(@request_for_comment.user).statistics?
 ul.text
-  li = link_to "Implement the exercise yourself", implement_exercise_path(id: @request_for_comment.exercise_id)
-  li = link_to "Show the exercise", exercise_path(id: @request_for_comment.exercise_id)
+  li = link_to "Implement the exercise yourself", implement_exercise_path(id: @request_for_comment.exercise_id) if policy(@request_for_comment.exercise).implement?
+  li = link_to "Show the exercise", exercise_path(id: @request_for_comment.exercise_id) if policy(@request_for_comment.exercise).show?
--- a/app/views/request_for_comments/_form.html.slim
+++ b/app/views/request_for_comments/_form.html.slim
@@ -1,28 +0,0 @@
-= form_for(@request_for_comment) do |f|
-  - if @request_for_comment.errors.any?
-    #error_explanation
-      h2
-        = pluralize(@request_for_comment.errors.count, "error")
-        | prohibited this request_for_comment from being saved:
-      ul
-        - @request_for_comment.errors.full_messages.each do |message|
-          li= message
-
-  .field
-    = f.label :user_id
-    br/
-    = f.number_field :user_id
-  .field
-    = f.label :exercise_id
-    br/
-    = f.number_field :exercise_id
-  .field
-    = f.label :file_id
-    br/
-    = f.number_field :file_id
-  .field
-    = f.label :user_type
-    br/
-    = f.text_field :user_type
-  .actions
-    = f.submit
--- a/app/views/request_for_comments/index.html.slim
+++ b/app/views/request_for_comments/index.html.slim
@@ -32,8 +32,8 @@ h1 = RequestForComment.model_name.human(count: 2)
              span class="fa fa-check" style="color:darkgrey" aria-hidden="true"
          - else
            td = ''
-          td = link_to(request_for_comment.exercise.title, request_for_comment)
-          - if request_for_comment.has_attribute?(:question) && request_for_comment.question
+          td = link_to_if(policy(request_for_comment.exercise).show?, request_for_comment.exercise.title, request_for_comment)
+          - if request_for_comment.has_attribute?(:question) && request_for_comment.question.present?
            td = truncate(request_for_comment.question, length: 200)
          - else
            td = '-'
--- a/app/views/request_for_comments/show.html.slim
+++ b/app/views/request_for_comments/show.html.slim
@@ -2,12 +2,12 @@
  h4#exercise_caption.list-group-item-heading data-comment-exercise-url=create_comment_exercise_request_for_comment_path data-exercise-id="#{@request_for_comment.exercise.id}" data-rfc-id="#{@request_for_comment.id}"
    - if @request_for_comment.solved?
      span.fa.fa-check aria-hidden="true"
-    = link_to(@request_for_comment.exercise.title, [:implement, @request_for_comment.exercise])
+    = link_to_if(policy(@request_for_comment.exercise).show?, @request_for_comment.exercise.title, [:implement, @request_for_comment.exercise])
  p.list-group-item-text
    - user = @request_for_comment.user
    - submission =  @request_for_comment.submission
    - testruns = Testrun.where(:submission_id => @request_for_comment.submission)
-    = user.displayname
+    = link_to_if(policy(user).show?, user.displayname, user)
    | | #{@request_for_comment.created_at.localtime}
  .rfc
    .description
@@ -22,7 +22,7 @@
        = t('activerecord.attributes.request_for_comments.question')
      .text
        - question = @request_for_comment.question
-        = question.nil? or question.empty? ? t('request_for_comments.no_question') : question
+        = question.blank? ? t('request_for_comments.no_question') : question

    - if policy(@request_for_comment).mark_as_solved? and not @request_for_comment.solved?
      = render('mark_as_solved')