Modified: branches/packs/app/views/packs/_resource_tile.html.erb (3648 => 3649)
--- branches/packs/app/views/packs/_resource_tile.html.erb 2013-09-01 10:47:33 UTC (rev 3648)
+++ branches/packs/app/views/packs/_resource_tile.html.erb 2013-09-01 13:32:51 UTC (rev 3649)
@@ -5,9 +5,11 @@
<td><%=h resource.content_type -%></td>
<td><%=h resource.annotations.count -%></td>
<td>
- <%= link_to("<img src='' />",
- pack_item_path(pack, ore_path),
- :method => :delete,
- :confirm => "Are you sure you want to delete this item?") %>
+ <% if Authorization.check('destroy', resource, current_user) %>
+ <%= link_to("<img src='' />",
+ pack_item_path(pack, ore_path),
+ :method => :delete,
+ :confirm => "Are you sure you want to delete this item?") %>
+ <% end %>
</td>
</tr>
Modified: branches/packs/lib/authorization.rb (3648 => 3649)
--- branches/packs/lib/authorization.rb 2013-09-01 10:47:33 UTC (rev 3648)
+++ branches/packs/lib/authorization.rb 2013-09-01 13:32:51 UTC (rev 3649)
@@ -328,7 +328,7 @@
return Authorization.check('edit', object.context, user)
end
- when "PackContributableEntry", "PackRemoteEntry"
+ when "PackContributableEntry"
case action
@@ -339,7 +339,43 @@
# Only users that can edit a pack can add items to it
return !user.nil? && Authorization.check('edit', context, user)
+ when "view"
+
+ # Only users can can view the pack and also view the contributable
+ # can view it.
+
+ return false unless Authorization.check('view', object.pack, user)
+
+ return Authorization.check('view', object.contributable, user)
+
when "edit", "destroy"
+
+ # Users that can edit the pack can also edit / delete items, but
+ # only if they can view the items.
+
+ return false unless Authorization.check('edit', object.pack, user)
+
+ return Authorization.check('view', object.contributable, user)
+ end
+
+ when "PackRemoteEntry"
+
+ case action
+
+ when "create"
+
+ raise "Context required for authorisation check" unless context
+
+ # Only users that can edit a pack can add items to it
+ return !user.nil? && Authorization.check('edit', context, user)
+
+ when "view"
+
+ # Only users can can view the pack can see remote items.
+
+ return Authorization.check('view', object.pack, user)
+
+ when "edit", "destroy"
# Users that can edit the pack can also edit / delete items
return Authorization.check('edit', object.pack, user)
@@ -358,14 +394,20 @@
# contributable if it is local to myExperiment
if object.pack_contributable_entry
- return false unless Authorization.check('view', object.pack_contributable_entry, user)
+ return Authorization.check('view', object.pack_contributable_entry, user)
end
+ return false
+
when "create"
# Only users that can edit the pack can create RO resources
- return Authorization.check('edit', context, user)
+ return Authorization.check('edit', object.research_object.pack, user)
+ when "destroy"
+
+ # Only users that can edit the pack can delete RO resources
+ return Authorization.check('edit', object.research_object.pack, user)
end
when "Message"