htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Correctly authorize comment deletion

Browse Source
This commit is contained in:
Maximilian Grundke
2016-04-27 17:16:23 +02:00
parent 57b773698b
commit 8ef615ffaa
2 changed files with 3 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/comments_controller.rb
View File

@ -111,9 +111,8 @@ class CommentsController < ApplicationController
end end
def destroy def destroy
@comments = Comment.where(file_id: params[:file_id], row: params[:row]) @comments = Comment.where(file_id: params[:file_id], row: params[:row], user: current_user)
authorize! @comments.each { |comment| authorize comment; comment.destroy }
@comments.delete_all
respond_to do |format| respond_to do |format|
#format.html { redirect_to comments_url, notice: 'Comments were successfully destroyed.' } #format.html { redirect_to comments_url, notice: 'Comments were successfully destroyed.' }
format.html { head :no_content, notice: 'Comments were successfully destroyed.' } format.html { head :no_content, notice: 'Comments were successfully destroyed.' }

8
app/policies/comment_policy.rb
View File

@ -1,12 +1,6 @@
class CommentPolicy < ApplicationPolicy class CommentPolicy < ApplicationPolicy
def author? def author?
if @record.is_a?(ActiveRecord::Relation) @user == @record.author
flag = true
@record.all {|item| flag = (flag and item.author == @user)}
flag
else
@user == @record.author
end
end end
private :author? private :author?