Modified: trunk/app/views/pictures/index.rhtml (2664 => 2665)
--- trunk/app/views/pictures/index.rhtml 2011-08-03 14:50:21 UTC (rev 2664)
+++ trunk/app/views/pictures/index.rhtml 2011-08-05 08:56:57 UTC (rev 2665)
@@ -17,6 +17,7 @@
<% odd_row = false -%>
<% for picture in @pictures %>
+<% if Authorization.is_authorized?("view", nil, picture, current_user) %>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
<td width="150">
<% if picture.selected? %>
@@ -45,6 +46,7 @@
</td>
</tr>
<% end %>
+<% end %>
</table>
<% else %>
Modified: trunk/lib/authorization.rb (2664 => 2665)
--- trunk/lib/authorization.rb 2011-08-03 14:50:21 UTC (rev 2664)
+++ trunk/lib/authorization.rb 2011-08-05 08:56:57 UTC (rev 2665)
@@ -299,7 +299,7 @@
# this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
# and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
if (thing_contribution.nil? && ["Workflow", "Blog", "Blob", "Pack", "Contribution"].include?(thing_type)) ||
- (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner"].include?(thing_type))
+ (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner", "Picture"].include?(thing_type))
found_thing = find_thing(thing_type, thing_id)
@@ -504,6 +504,22 @@
is_authorized = user_is_administrator?(user)
end
+ when "Picture"
+
+ case action
+
+ when "view"
+ # owner can view all their pictures
+ return true if is_owner?(user_id, thing_instance)
+
+ # anyone can view a user's selected pictures
+ is_authorized = thing_instance.selected?
+
+ when "edit", "destroy"
+ # only the owner of a picture can edit/destroy
+ is_authorized = is_owner?(user_id, thing_instance)
+ end
+
else
# don't recognise the kind of "thing" that is being authorized, so
# we don't specifically know that it needs to be blocked;
@@ -571,6 +587,8 @@
found_instance = TavernaEnactor.find(thing_id)
when "ContentType"
found_instance = ContentType.find(thing_id)
+ when "Picture"
+ found_instance = Picture.find(thing_id)
end
rescue ActiveRecord::RecordNotFound
# do nothing; makes sure that app won't crash when the required object is not found;
@@ -597,6 +615,8 @@
is_authorized = (thing.user_id == user_id)
when "Bookmark"
is_authorized = (thing.user_id == user_id)
+ when "Picture"
+ is_authorized = (thing.user_id == user_id)
#else
# do nothing -- unknown "thing" types are not authorized by default
end