From 7ef6832ab3708744b8ebf85778ba6f236524c426 Mon Sep 17 00:00:00 2001 From: wvengen Date: Sun, 22 Dec 2013 14:20:25 +0100 Subject: [PATCH] fix invite authentication --- app/controllers/application_controller.rb | 4 ++-- app/controllers/invites_controller.rb | 10 ++++++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9a5de547..dcc0f298 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -80,8 +80,8 @@ class ApplicationController < ActionController::Base # checks if the current_user is member of given group. # if fails the user will redirected to startpage - def authenticate_membership_or_admin - @group = Group.find(params[:id]) + def authenticate_membership_or_admin(group_id = params[:id]) + @group = Group.find(group_id) unless @group.member?(@current_user) or @current_user.role_admin? redirect_to root_path, alert: I18n.t('application.controller.error_members_only') end diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index 440db16a..553e4398 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -1,13 +1,13 @@ class InvitesController < ApplicationController - before_filter :authenticate_membership_or_admin, :only => [:new] - #TODO: authorize also for create action. + before_filter :authenticate_membership_or_admin_for_invites def new @invite = Invite.new(:user => @current_user, :group => @group) end def create + authenticate_membership_or_admin params[:invite][:group_id] @invite = Invite.new(params[:invite]) if @invite.save Mailer.invite(@invite).deliver @@ -23,4 +23,10 @@ class InvitesController < ApplicationController render action: :new end end + + protected + + def authenticate_membership_or_admin_for_invites + authenticate_membership_or_admin((params[:invite][:group_id] rescue params[:id])) + end end