Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/shared/_edit_button.html.slim
+++ b/app/views/shared/_edit_button.html.slim
@@ -1,3 +1,4 @@
-// default value for fetch will always be evaluated even if it is not returned
- link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
-= link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')
+- if policy(object).edit?
+  // default value for fetch will always be evaluated even if it is not returned
+  - link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
+  = link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')
--- a/app/views/shared/_file.html.slim
+++ b/app/views/shared/_file.html.slim
@@ -7,4 +7,4 @@
 - if file.teacher_defined_test?
  = row(label: 'file.feedback_message', value: render_markdown(file.feedback_message), class: 'm-0')
  = row(label: 'file.weight', value: file.weight)
-= row(label: 'file.content', value: file.native_file? ? link_to(file.native_file.file.filename, file.native_file.url) : code_tag(file.content))
+= row(label: 'file.content', value: file.native_file? ? link_to_if(policy(file.native_file.file.filename).show?, file.native_file.file.filename, file.native_file.url) : code_tag(file.content))