From cee96915f99ad09230820cbd6bb2608befd41e62 Mon Sep 17 00:00:00 2001 From: wvengen Date: Sun, 22 Dec 2013 13:58:49 +0100 Subject: [PATCH 1/2] remove unused redirect_to functionality --- app/controllers/application_controller.rb | 14 +------------- app/controllers/invites_controller.rb | 2 +- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9c77fe48..9a5de547 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base helper_method :available_locales protect_from_forgery - before_filter :select_foodcoop, :authenticate, :store_controller, :items_per_page, :set_redirect_to + before_filter :select_foodcoop, :authenticate, :store_controller, :items_per_page after_filter :remove_controller @@ -128,18 +128,6 @@ class ApplicationController < ActionController::Base end end - def set_redirect_to - session[:redirect_to] = params[:redirect_to] if params[:redirect_to] - end - - def back_or_default_path(default = root_path) - if session[:redirect_to].present? - default = session[:redirect_to] - session[:redirect_to] = nil - end - default - end - # Always stay in foodcoop url scope def default_url_options(options = {}) {foodcoop: FoodsoftConfig.scope} diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index f301156a..440db16a 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -14,7 +14,7 @@ class InvitesController < ApplicationController respond_to do |format| format.html do - redirect_to back_or_default_path, notice: I18n.t('invites.success') + redirect_to root_path, notice: I18n.t('invites.success') end format.js { render layout: false } end From 7ef6832ab3708744b8ebf85778ba6f236524c426 Mon Sep 17 00:00:00 2001 From: wvengen Date: Sun, 22 Dec 2013 14:20:25 +0100 Subject: [PATCH 2/2] fix invite authentication --- app/controllers/application_controller.rb | 4 ++-- app/controllers/invites_controller.rb | 10 ++++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9a5de547..dcc0f298 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -80,8 +80,8 @@ class ApplicationController < ActionController::Base # checks if the current_user is member of given group. # if fails the user will redirected to startpage - def authenticate_membership_or_admin - @group = Group.find(params[:id]) + def authenticate_membership_or_admin(group_id = params[:id]) + @group = Group.find(group_id) unless @group.member?(@current_user) or @current_user.role_admin? redirect_to root_path, alert: I18n.t('application.controller.error_members_only') end diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index 440db16a..553e4398 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -1,13 +1,13 @@ class InvitesController < ApplicationController - before_filter :authenticate_membership_or_admin, :only => [:new] - #TODO: authorize also for create action. + before_filter :authenticate_membership_or_admin_for_invites def new @invite = Invite.new(:user => @current_user, :group => @group) end def create + authenticate_membership_or_admin params[:invite][:group_id] @invite = Invite.new(params[:invite]) if @invite.save Mailer.invite(@invite).deliver @@ -23,4 +23,10 @@ class InvitesController < ApplicationController render action: :new end end + + protected + + def authenticate_membership_or_admin_for_invites + authenticate_membership_or_admin((params[:invite][:group_id] rescue params[:id])) + end end