Diff
Modified: branches/packs/app/controllers/research_objects_controller.rb (3788 => 3789)
--- branches/packs/app/controllers/research_objects_controller.rb 2013-11-14 10:31:05 UTC (rev 3788)
+++ branches/packs/app/controllers/research_objects_controller.rb 2013-11-14 14:37:27 UTC (rev 3789)
@@ -5,7 +5,7 @@
require 'securerandom'
-class ResearchObjectsController < ActionController::Base
+class ResearchObjectsController < ApplicationController
# GET /rodl
def index
@@ -13,7 +13,9 @@
uri_list = ""
ResearchObject.all.each do |ro|
- uri_list << "#{research_object_url(ro.slug)}/\n"
+ if Authorization.check('view', ro, current_user)
+ uri_list << "#{research_object_url(ro.slug)}/\n"
+ end
end
send_data(uri_list, :type => 'text/uri-list')
@@ -32,6 +34,11 @@
return
end
+ unless Authorization.check('view', ro, current_user)
+ render_401("You are not authorized to view this research object.")
+ return
+ end
+
respond_to do |format|
format.html {
redirect_to polymorphic_path(ro.context)
@@ -68,8 +75,11 @@
# POST /rodl
def create
- current_user = User.find(1) # FIXME - hardcoded
-
+ unless Authorization.check('create', ResearchObject, current_user)
+ render_401("You are not authorized to create a research object.")
+ return
+ end
+
slug = request.headers["Slug"]
# Remove trailing slash if given.
@@ -102,6 +112,16 @@
def destroy
ro = ResearchObject.find_by_slug_and_version(params[:id], nil)
+
+ unless ro
+ render :text => "Research Object not found", :status => 404
+ return
+ end
+
+ unless Authorization.check('destroy', ro, current_user)
+ render_401("You are not authorized to delete this research object.")
+ return
+ end
if ro
ro.destroy
Modified: branches/packs/app/controllers/resources_controller.rb (3788 => 3789)
--- branches/packs/app/controllers/resources_controller.rb 2013-11-14 10:31:05 UTC (rev 3788)
+++ branches/packs/app/controllers/resources_controller.rb 2013-11-14 14:37:27 UTC (rev 3789)
@@ -5,7 +5,7 @@
require 'securerandom'
-class ResourcesController < ActionController::Base
+class ResourcesController < ApplicationController
include ResearchObjectsHelper
@@ -53,6 +53,11 @@
return
end
+ unless Authorization.check('view', ro, current_user)
+ render_401("You are unauthorized to view this research object.")
+ return
+ end
+
resource = ro.resources.find_by_path(params[:id])
unless resource
@@ -62,6 +67,11 @@
# FIXME: This needs to support 406
+ unless Authorization.check('view', resource, current_user)
+ render_401("You are unauthorized to view this resource.")
+ return
+ end
+
# FIXME: This needs to support 401/403
if resource.is_proxy
@@ -85,8 +95,6 @@
def post
- current_user = User.find(1) # FIXME - hardcoded
-
research_object = ResearchObject.find_by_slug_and_version(params[:research_object_id], nil)
unless research_object
@@ -134,8 +142,6 @@
def delete
- current_user = User.find(1) # FIXME - hardcoded
-
ro = ResearchObject.find_by_slug_and_version(params[:research_object_id], nil)
unless ro
Modified: branches/packs/app/models/pack_contributable_entry.rb (3788 => 3789)
--- branches/packs/app/models/pack_contributable_entry.rb 2013-11-14 10:31:05 UTC (rev 3788)
+++ branches/packs/app/models/pack_contributable_entry.rb 2013-11-14 14:37:27 UTC (rev 3789)
@@ -117,7 +117,7 @@
resource = ro.create_aggregated_resource(
:user_uri => user_path,
- :path => path, # FIXME - where should these be URL encoded?
+ :path => CGI::escape(path),
:data ="" data,
:context => self,
:content_type => contributable.content_type.mime_type)
Modified: branches/packs/lib/authorization.rb (3788 => 3789)
--- branches/packs/lib/authorization.rb 2013-11-14 10:31:05 UTC (rev 3788)
+++ branches/packs/lib/authorization.rb 2013-11-14 14:37:27 UTC (rev 3789)
@@ -413,7 +413,7 @@
return object.user == user
- when "delete"
+ when "destroy"
# If the research object is connected to a contribution then
# disallow deletion as this is only performed when the contribution