[myexperiment-hackers] [3541] trunk/app: added permission check when creating comments

[noreply]

Revision

3541

Author

dgc

Date

2013-05-10 09:39:17 +0000 (Fri, 10 May 2013)

Log Message

added permission check when creating comments

Modified Paths

• trunk/app/controllers/comments_controller.rb
• trunk/app/views/activities/_activity.rhtml

Diff

Modified: trunk/app/controllers/comments_controller.rb (3540 => 3541)

--- trunk/app/controllers/comments_controller.rb	2013-05-09 15:01:41 UTC (rev 3540)
+++ trunk/app/controllers/comments_controller.rb	2013-05-10 09:39:17 UTC (rev 3541)
@@ -34,6 +34,11 @@
       ajaxy = false
     end
 
+    if Authorization.check('create', Comment, current_user, @context) == false
+      render_401("You are not authorized to create this comment.")
+      return
+    end
+
     if text and text.length > 0
       comment = Comment.new(:user => current_user, :comment => text, :commentable => @context)
 

Modified: trunk/app/views/activities/_activity.rhtml (3540 => 3541)

--- trunk/app/views/activities/_activity.rhtml	2013-05-09 15:01:41 UTC (rev 3540)
+++ trunk/app/views/activities/_activity.rhtml	2013-05-10 09:39:17 UTC (rev 3541)
@@ -23,7 +23,7 @@
               <% end %>
             <% end %>
           <% end %>
-          <% if Authorization.check('create', Comment, user, activity.context) %>
+          <% if Authorization.check('create', Comment, user, activity) %>
             <% if (activity.comments.length == 0) && (activity_set.length == 1) %>
               <span><a href=""  activity.id -%>').style.display = 'block'; return false;">Comment</a></span>
             <% else %>
@@ -47,7 +47,7 @@
             <div style="clear: left"></div>
           </div>
         <% end %>
-        <% if Authorization.check('create', Comment, user, activity.context) %>
+        <% if Authorization.check('create', Comment, user, activity) %>
 
           <div class="activityCommentBox">
             <div style="float: left">