Prevent mods from editing/deleting feedbacks given to themselves.

2016-11-28 03:48:24 -06:00
parent bba080a4c5
commit fa74c71b6d
4 changed files with 7 additions and 3 deletions
--- a/app/controllers/user_feedbacks_controller.rb
+++ b/app/controllers/user_feedbacks_controller.rb
@@ -49,6 +49,6 @@ class UserFeedbacksController < ApplicationController
 private
  def check_privilege(user_feedback)
-    raise User::PrivilegeError unless (user_feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator?)
+    raise User::PrivilegeError unless user_feedback.editable_by?(CurrentUser.user)
  end
 end
--- a/app/models/user_feedback.rb
+++ b/app/models/user_feedback.rb
@@ -98,4 +98,8 @@ class UserFeedback < ActiveRecord::Base
      return true
    end
  end
  def editable_by?(editor)
    (editor.is_moderator? && editor != user) || creator == editor
  end
 end
--- a/app/views/user_feedbacks/index.html.erb
+++ b/app/views/user_feedbacks/index.html.erb
@@ -20,7 +20,7 @@
            <td><%= compact_time(feedback.created_at) %></td>
            <td><%= format_text(feedback.body) %></td>
            <td>
-              <% if feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator? %>
+              <% if feedback.editable_by?(CurrentUser.user) %>
                <%= link_to "edit", edit_user_feedback_path(feedback) %>
                | <%= link_to "delete", user_feedback_path(feedback), :method => :delete, :data => {:confirm => "Are you sure you want to delete this user feedback?"} %>
              <% end %>
--- a/app/views/user_feedbacks/show.html.erb
+++ b/app/views/user_feedbacks/show.html.erb
@@ -9,7 +9,7 @@
      <li><strong>Message</strong> <%= format_text @user_feedback.body %></li>
    </ul>
-    <% if @user_feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator? %>
+    <% if @user_feedback.editable_by?(CurrentUser.user) %>
      <p><%= link_to "Edit", edit_user_feedback_path(@user_feedback) %></p>
    <% end %>
  </div>