Ensure mail privacy in message reply and show view.
Thanks to @JuliusR for reporting.
This commit is contained in:
parent
da72d3a61c
commit
18f6cadca2
2 changed files with 16 additions and 6 deletions
|
@ -8,6 +8,9 @@ class MessagesController < ApplicationController
|
|||
# Creates a new message object.
|
||||
def new
|
||||
@message = Message.new(params[:message])
|
||||
if @message.reply_to and not @message.reply_to.is_readable_for?(current_user)
|
||||
redirect_to new_message_url, alert: 'Nachricht ist privat!'
|
||||
end
|
||||
end
|
||||
|
||||
# Creates a new message.
|
||||
|
@ -24,5 +27,8 @@ class MessagesController < ApplicationController
|
|||
# Shows a single message.
|
||||
def show
|
||||
@message = Message.find(params[:id])
|
||||
unless @message.is_readable_for?(current_user)
|
||||
redirect_to messages_url, alert: 'Nachricht ist privat!'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2,7 +2,7 @@ class Message < ActiveRecord::Base
|
|||
belongs_to :sender, :class_name => "User", :foreign_key => "sender_id"
|
||||
|
||||
serialize :recipients_ids, Array
|
||||
attr_accessor :sent_to_all, :group_id, :recipient_tokens
|
||||
attr_accessor :sent_to_all, :group_id, :recipient_tokens, :reply_to
|
||||
|
||||
scope :pending, where(:email_state => 0)
|
||||
scope :sent, where(:email_state => 1)
|
||||
|
@ -46,11 +46,11 @@ class Message < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def reply_to=(message_id)
|
||||
message = Message.find(message_id)
|
||||
add_recipients([message.sender])
|
||||
self.subject = "Re: #{message.subject}"
|
||||
self.body = "#{message.sender.nick} schrieb am #{I18n.l(message.created_at, :format => :short)}:\n"
|
||||
message.body.each_line{ |l| self.body += "> #{l}" }
|
||||
@reply_to = Message.find(message_id)
|
||||
add_recipients([@reply_to.sender])
|
||||
self.subject = "Re: #{@reply_to.subject}"
|
||||
self.body = "#{@reply_to.sender.nick} schrieb am #{I18n.l(@reply_to.created_at, :format => :short)}:\n"
|
||||
@reply_to.body.each_line{ |l| self.body += "> #{l}" }
|
||||
end
|
||||
|
||||
def mail_to=(user_id)
|
||||
|
@ -83,6 +83,10 @@ class Message < ActiveRecord::Base
|
|||
end
|
||||
update_attribute(:email_state, 1)
|
||||
end
|
||||
|
||||
def is_readable_for?(user)
|
||||
!private || sender == user || recipients_ids.include?(user.id)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue