Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/user_mailer/exercise_anomaly_detected.html.slim
+++ b/app/views/user_mailer/exercise_anomaly_detected.html.slim
@@ -12,9 +12,9 @@ table(border=1)
    - @anomalies.keys.each do | id |
      - exercise = Exercise.find(id)
      tr
-        td = link_to(exercise.title, exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).show?, exercise.title, exercise_path(exercise))
        td = @anomalies[id]
-        td = link_to(t('shared.statistics', locale: :de), statistics_exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).statistics?, t('shared.statistics', locale: :de), statistics_exercise_path(exercise))


 == t('mailers.user_mailer.exercise_anomaly_detected.body2',
@@ -31,8 +31,8 @@ table(border=1)
    - @anomalies.keys.each do | id |
      - exercise = Exercise.find(id)
      tr
-        td = link_to(exercise.title, exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).show?, exercise.title, exercise_path(exercise))
        td = @anomalies[id]
-        td = link_to(t('shared.statistics', locale: :en), statistics_exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).statistics?, t('shared.statistics', locale: :en), statistics_exercise_path(exercise))

 == t('mailers.user_mailer.exercise_anomaly_detected.body3')
--- a/app/views/user_mailer/got_new_comment.slim
+++ b/app/views/user_mailer/got_new_comment.slim
@@ -1 +1,7 @@
-== t('mailers.user_mailer.got_new_comment.body', receiver_displayname: @receiver_displayname, link_to_comment: link_to(@rfc_link, @rfc_link), commenting_user_displayname: @commenting_user_displayname, comment_text: @comment_text, link_my_comments: link_to(t('request_for_comments.index.get_my_comment_requests'), my_request_for_comments_url), link_all_comments: link_to(t('request_for_comments.index.all'), request_for_comments_url) )
+== t('mailers.user_mailer.got_new_comment.body',
+        receiver_displayname: @receiver_displayname,
+        link_to_comment: link_to(@rfc_link, @rfc_link),
+        commenting_user_displayname: @commenting_user_displayname,
+        comment_text: @comment_text,
+        link_my_comments: link_to(t('request_for_comments.index.get_my_comment_requests'), my_request_for_comments_url),
+        link_all_comments: link_to(t('request_for_comments.index.all'), request_for_comments_url) )
--- a/app/views/user_mailer/send_thank_you_note.slim
+++ b/app/views/user_mailer/send_thank_you_note.slim
@@ -1 +1,5 @@
-== t('mailers.user_mailer.send_thank_you_note.body', receiver_displayname: @receiver_displayname, link_to_comment: link_to(@rfc_link, @rfc_link), author: @author, thank_you_note: @thank_you_note )
+== t('mailers.user_mailer.send_thank_you_note.body',
+        receiver_displayname: @receiver_displayname,
+        link_to_comment: link_to(@rfc_link, @rfc_link),
+        author: @author,
+        thank_you_note: @thank_you_note )