restrict min level constraints for forum topics to mod+admin and restrict options based on current user's level. check privileges for visiblity in forum posts and topics. deprecate serializable_hash (undocumented, internal) for as_json, refactor to use hidden_attributes and method_attributes #2658
This commit is contained in:
Albert Yi
@@ -1,6 +1,8 @@
|
||||
class ForumPostsController < ApplicationController
|
||||
respond_to :html, :xml, :json, :js
|
||||
before_filter :member_only, :except => [:index, :show]
|
||||
before_filter :load_post, :only => [:edit, :show, :update, :destroy, :undelete]
|
||||
before_filter :check_min_level, :only => [:edit, :show, :update, :destroy, :undelete]
|
||||
|
||||
def new
|
||||
@forum_topic = ForumTopic.find(params[:topic_id]) if params[:topic_id]
|
||||
@@ -9,14 +11,13 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def edit
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
check_privilege(@forum_post)
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
def index
|
||||
@query = ForumPost.search(params[:search])
|
||||
@forum_posts = @query.order("forum_posts.id DESC").paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
|
||||
@forum_posts = @query.includes(:topic).order("forum_posts.id DESC").paginate(params[:page], :limit => params[:limit], :search_count => params[:search])
|
||||
respond_with(@forum_posts) do |format|
|
||||
format.xml do
|
||||
render :xml => @forum_posts.to_xml(:root => "forum-posts")
|
||||
@@ -28,7 +29,6 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def show
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
if request.format == "text/html" && @forum_post.id == @forum_post.topic.original_post.id
|
||||
redirect_to(forum_topic_path(@forum_post.topic, :page => params[:page]))
|
||||
else
|
||||
@@ -43,7 +43,6 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def update
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
check_privilege(@forum_post)
|
||||
@forum_post.update_attributes(params[:forum_post])
|
||||
page = @forum_post.forum_topic_page if @forum_post.forum_topic_page > 1
|
||||
@@ -51,20 +50,44 @@ class ForumPostsController < ApplicationController
|
||||
end
|
||||
|
||||
def destroy
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
check_privilege(@forum_post)
|
||||
@forum_post.delete!
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
def undelete
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
check_privilege(@forum_post)
|
||||
@forum_post.undelete!
|
||||
respond_with(@forum_post)
|
||||
end
|
||||
|
||||
private
|
||||
def load_post
|
||||
@forum_post = ForumPost.find(params[:id])
|
||||
@forum_topic = @forum_post.topic
|
||||
end
|
||||
|
||||
def check_min_level
|
||||
if CurrentUser.user.level < @forum_topic.min_level
|
||||
respond_with(@forum_topic) do |fmt|
|
||||
fmt.html do
|
||||
flash[:notice] = "Access denied"
|
||||
redirect_to forum_topics_path
|
||||
end
|
||||
|
||||
fmt.json do
|
||||
render :nothing => true, :status => 403
|
||||
end
|
||||
|
||||
fmt.xml do
|
||||
render :nothing => true, :status => 403
|
||||
end
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def check_privilege(forum_post)
|
||||
if !forum_post.editable_by?(CurrentUser.user)
|
||||
raise User::PrivilegeError
|
||||
|
||||
Reference in New Issue
Block a user