Add missing authorization for InvoicesController

2020-04-11 00:04:35 +02:00 · 2020-04-11 00:04:35 +02:00 · a3946ed3d4
parent 3b79c05ffe
commit a3946ed3d4
2 changed files with 16 additions and 10 deletions
--- a/app/controllers/concerns/auth.rb
+++ b/app/controllers/concerns/auth.rb
@ -56,16 +56,17 @@ module Concerns::Auth
      # We have an authenticated user, now check role...
      # Roles gets the user through his memberships.
      hasRole = case role
-      when 'admin'             then current_user.role_admin?
-      when 'finance'           then current_user.role_finance?
-      when 'article_meta'      then current_user.role_article_meta?
-      when 'pickups'           then current_user.role_pickups?
-      when 'suppliers'         then current_user.role_suppliers?
-      when 'orders'            then current_user.role_orders?
-      when 'finance_or_orders' then (current_user.role_finance? || current_user.role_orders?)
-      when 'pickups_or_orders' then (current_user.role_pickups? || current_user.role_orders?)
-      when 'any'               then true  # no role required
-      else false                          # any unknown role will always fail
+      when 'admin'               then current_user.role_admin?
+      when 'finance'             then current_user.role_finance?
+      when 'article_meta'        then current_user.role_article_meta?
+      when 'pickups'             then current_user.role_pickups?
+      when 'suppliers'           then current_user.role_suppliers?
+      when 'orders'              then current_user.role_orders?
+      when 'finance_or_invoices' then (current_user.role_finance? || current_user.role_invoices?)
+      when 'finance_or_orders'   then (current_user.role_finance? || current_user.role_orders?)
+      when 'pickups_or_orders'   then (current_user.role_pickups? || current_user.role_orders?)
+      when 'any'                 then true  # no role required
+      else false                            # any unknown role will always fail
      end
      if hasRole
        current_user
@ -99,6 +100,10 @@ module Concerns::Auth
    authenticate('orders')
  end

+  def authenticate_finance_or_invoices
+    authenticate('finance_or_invoices')
+  end
+
  def authenticate_finance_or_orders
    authenticate('finance_or_orders')
  end
--- a/app/controllers/finance/invoices_controller.rb
+++ b/app/controllers/finance/invoices_controller.rb
@ -1,4 +1,5 @@
 class Finance::InvoicesController < ApplicationController
+  before_action :authenticate_finance_or_invoices

  before_action :find_invoice, only: [:show, :edit, :update, :destroy]
  before_action :ensure_can_edit, only: [:edit, :update, :destroy]