Add missing authorization for InvoicesController
This commit is contained in:
Patrick Gansterer
parent
3b79c05ffe
commit
a3946ed3d4
2 changed files with 16 additions and 10 deletions
|
|
@ -56,16 +56,17 @@ module Concerns::Auth
|
||||||
# We have an authenticated user, now check role...
|
# We have an authenticated user, now check role...
|
||||||
# Roles gets the user through his memberships.
|
# Roles gets the user through his memberships.
|
||||||
hasRole = case role
|
hasRole = case role
|
||||||
when 'admin' then current_user.role_admin?
|
when 'admin' then current_user.role_admin?
|
||||||
when 'finance' then current_user.role_finance?
|
when 'finance' then current_user.role_finance?
|
||||||
when 'article_meta' then current_user.role_article_meta?
|
when 'article_meta' then current_user.role_article_meta?
|
||||||
when 'pickups' then current_user.role_pickups?
|
when 'pickups' then current_user.role_pickups?
|
||||||
when 'suppliers' then current_user.role_suppliers?
|
when 'suppliers' then current_user.role_suppliers?
|
||||||
when 'orders' then current_user.role_orders?
|
when 'orders' then current_user.role_orders?
|
||||||
when 'finance_or_orders' then (current_user.role_finance? || current_user.role_orders?)
|
when 'finance_or_invoices' then (current_user.role_finance? || current_user.role_invoices?)
|
||||||
when 'pickups_or_orders' then (current_user.role_pickups? || current_user.role_orders?)
|
when 'finance_or_orders' then (current_user.role_finance? || current_user.role_orders?)
|
||||||
when 'any' then true # no role required
|
when 'pickups_or_orders' then (current_user.role_pickups? || current_user.role_orders?)
|
||||||
else false # any unknown role will always fail
|
when 'any' then true # no role required
|
||||||
|
else false # any unknown role will always fail
|
||||||
end
|
end
|
||||||
if hasRole
|
if hasRole
|
||||||
current_user
|
current_user
|
||||||
|
|
@ -99,6 +100,10 @@ module Concerns::Auth
|
||||||
authenticate('orders')
|
authenticate('orders')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def authenticate_finance_or_invoices
|
||||||
|
authenticate('finance_or_invoices')
|
||||||
|
end
|
||||||
|
|
||||||
def authenticate_finance_or_orders
|
def authenticate_finance_or_orders
|
||||||
authenticate('finance_or_orders')
|
authenticate('finance_or_orders')
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
class Finance::InvoicesController < ApplicationController
|
class Finance::InvoicesController < ApplicationController
|
||||||
|
before_action :authenticate_finance_or_invoices
|
||||||
|
|
||||||
before_action :find_invoice, only: [:show, :edit, :update, :destroy]
|
before_action :find_invoice, only: [:show, :edit, :update, :destroy]
|
||||||
before_action :ensure_can_edit, only: [:edit, :update, :destroy]
|
before_action :ensure_can_edit, only: [:edit, :update, :destroy]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue