Updating settings & fixing auth of objects through other objects cancan bug?

2013-09-28 19:31:28 -07:00 · 2013-09-28 19:31:28 -07:00 · 42679aa410
commit 42679aa410
parent 9e08a0d036
7 changed files with 14 additions and 39 deletions
--- a/app/controllers/certifications_controller.rb
+++ b/app/controllers/certifications_controller.rb
@ -1,6 +1,6 @@
 class CertificationsController < ApplicationController
  load_and_authorize_resource :certification
-  load_and_authorize_resource :user, :through => :certification
+  #load_and_authorize_resource :user, :through => :certification
  before_filter :authenticate_user!
  # GET /certifications
--- a/app/controllers/user_certifications_controller.rb
+++ b/app/controllers/user_certifications_controller.rb
@ -1,7 +1,7 @@
 class UserCertificationsController < ApplicationController
  load_and_authorize_resource :user_certification
-  load_and_authorize_resource :user, :through => :user_certification
+  #load_and_authorize_resource :user, :through => :user_certification
-  load_and_authorize_resource :certification, :through => :user_certification
+  #load_and_authorize_resource :certification, :through => :user_certification
  before_filter :authenticate_user!
  # Load users and certs based on current ability
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -2,21 +2,15 @@ class Ability
  include CanCan::Ability
  def initialize(user)
-    # Anonymous can read mac
+    can :read, Mac # Anonymous can read mac
-    today = Date.today
+    can :scan, Mac # Need anonymous so CRON can scan
    event = Date.new(2013,9,1)
    unless today == event
      can :read, Mac
      can :scan, Mac # Need anonymous so CRON can scan
    end
    if !user.nil?
      # By default, users can only see their own stuff
      can :read, Card, :user_id => user.id
      can :read, Certification
-      can :read_details, Mac unless today == event
+      can :read_details, Mac
      can [:update], Mac, :user_id => nil
      can [:create,:update], Mac, :user_id => user.id
      can :read, User, :id => user.id #TODO: why can users update themselves?
@ -44,6 +38,8 @@ class Ability
      # Admins can manage all
      if user.admin?
 Rails.logger.info user.inspect
 Rails.logger.info "IS ADMIN"
        can :manage, :all
      end
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@ -19,6 +19,7 @@
    <% end %>
    <%= link_to 'Payments', payments_path if can? :read, Payment %>
    <%= link_to 'Computers', macs_path if user_signed_in? || (can? :read, Mac) %>
    <%= link_to 'Settings', settings_path if can? :read, Setting %>
    <% if user_signed_in? then %><%= link_to 'Profile', edit_user_registration_path %><% end %>
    <%= link_to 'Logout', destroy_user_session_path, :method => :delete if user_signed_in? %>
    <%= link_to 'Login', new_user_session_path unless user_signed_in? %>
--- a/app/views/settings/edit.html.erb
+++ b/app/views/settings/edit.html.erb
@ -8,7 +8,6 @@ $(function(){
  <h3>Editing <%= @setting[:var].titleize %></h3>
  <div class="field">
    <%= text_area_tag :value, @setting[:value], :cols => 50, :class => "wysiwyg" %><br/>
    <em>Use %{provider_name} or %{client_name} to include names in messages.</em>
  </div>
  <div class="field">
--- a/app/views/settings/index.html.erb
+++ b/app/views/settings/index.html.erb
@ -7,7 +7,7 @@
  <% @settings.each do |setting| %>
  <tr>
    <td><%= setting.first.titleize %></td>
-    <td>"<%= setting.last %>"</td>
+    <td>"<%= setting.last.truncate(140) %>"</td>
    <% if can? :update, setting %>
    <td><%= link_to 'Edit', edit_setting_path(setting.first) %></td>
    <% end %>
--- a/config/initializers/default_settings.rb
+++ b/config/initializers/default_settings.rb
@ -1,29 +1,8 @@
@@default_settings = {
-  :welcome_title => "Welcome to the Hackerspace Members Site", #Welcome to the HeatSync Labs Members App.
+  :welcome_title => "Welcome to the Hackerspace Members Site",
-  :welcome_body => "<p>We are a member-driven community workshop where you can learn, make cool stuff, meet other cool people, and make your city a better place to live!</p><p>You don't have to be a member to come visit, but if you're interested in volunteering or being a member, feel free to sign up here! For more information, <a href=\"/more_info\">Click Here</a>.</p>", # <p>You can sign up to become a member here!</p>
+  :welcome_body => "<p>We are a member-driven community workshop where you can learn, make cool stuff, meet other cool people, and make your city a better place to live!</p><p>You don't have to be a member to come visit, but if you're interested in volunteering or being a member, feel free to sign up here! For more information, <a href=\"/more_info\">Click Here</a>.</p>",
  :more_info_page => "No info here yet, bug a member about filling this part out!",
  :member_resources_inset => "No info here yet, bug a member about filling this part out!"
 #   <ul>
 #   <li><%= link_to "Wiki", "http://wiki.heatsynclabs.org" %></li>
 #   <li><%= link_to "Discussion Group", "http://groups.google.com/group/heatsynclabs" %></li>
 #   <li><%= link_to "IRC", "irc://irc.freenode.net#heatsynclabs" %></li>
 #   <li><%= link_to "Live Webcams", "http://live.heatsynclabs.org/" %></li>
 #   <li>Lab Phone: (480) 751-1929</li>
 #   <li>
 #     <style type="text/css">
 #      form input {font-family: 'Lucida Console', Monaco, monospace; }
 #     </style>
 #     <b>Send a Message!</b>
 #     <form method="post" action="http://tweet.zyphon.com/signage.php">
 #       <em>Type here and your message will show up on the LED sign in the front window!</em><br/>
 #       <em>(Please be nice!)</em><br/>
 #       <input type="text" name="msg" id="msg" value="  Hello" size="9" /> (max 9 chars per line)<br/>
 #       <input type="text" name="msg2" id="msg2" value="  World" size="9" /><br/>
 #       <input type="submit" name="submitbutton" id="submitbutton" value="Go!" />
 #     </form>
 #   </li>
 # </ul>
 }
 if ActiveRecord::Base.connection.tables.include?('settings') and !defined?(::Rake)