Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/shared/_edit_button.html.slim
+++ b/app/views/shared/_edit_button.html.slim
@@ -1,3 +1,4 @@
-// default value for fetch will always be evaluated even if it is not returned
- link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
-= link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')
+- if policy(object).edit?
+  // default value for fetch will always be evaluated even if it is not returned
+  - link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
+  = link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')