Updating settings & fixing auth of objects through other objects cancan bug?

This commit is contained in:
Will Bradley 2013-09-28 19:31:28 -07:00
parent 9e08a0d036
commit 42679aa410
7 changed files with 14 additions and 39 deletions

View File

@ -1,6 +1,6 @@
class CertificationsController < ApplicationController class CertificationsController < ApplicationController
load_and_authorize_resource :certification load_and_authorize_resource :certification
load_and_authorize_resource :user, :through => :certification #load_and_authorize_resource :user, :through => :certification
before_filter :authenticate_user! before_filter :authenticate_user!
# GET /certifications # GET /certifications

View File

@ -1,7 +1,7 @@
class UserCertificationsController < ApplicationController class UserCertificationsController < ApplicationController
load_and_authorize_resource :user_certification load_and_authorize_resource :user_certification
load_and_authorize_resource :user, :through => :user_certification #load_and_authorize_resource :user, :through => :user_certification
load_and_authorize_resource :certification, :through => :user_certification #load_and_authorize_resource :certification, :through => :user_certification
before_filter :authenticate_user! before_filter :authenticate_user!
# Load users and certs based on current ability # Load users and certs based on current ability

View File

@ -2,21 +2,15 @@ class Ability
include CanCan::Ability include CanCan::Ability
def initialize(user) def initialize(user)
# Anonymous can read mac can :read, Mac # Anonymous can read mac
today = Date.today can :scan, Mac # Need anonymous so CRON can scan
event = Date.new(2013,9,1)
unless today == event
can :read, Mac
can :scan, Mac # Need anonymous so CRON can scan
end
if !user.nil? if !user.nil?
# By default, users can only see their own stuff # By default, users can only see their own stuff
can :read, Card, :user_id => user.id can :read, Card, :user_id => user.id
can :read, Certification can :read, Certification
can :read_details, Mac unless today == event can :read_details, Mac
can [:update], Mac, :user_id => nil can [:update], Mac, :user_id => nil
can [:create,:update], Mac, :user_id => user.id can [:create,:update], Mac, :user_id => user.id
can :read, User, :id => user.id #TODO: why can users update themselves? can :read, User, :id => user.id #TODO: why can users update themselves?
@ -44,6 +38,8 @@ class Ability
# Admins can manage all # Admins can manage all
if user.admin? if user.admin?
Rails.logger.info user.inspect
Rails.logger.info "IS ADMIN"
can :manage, :all can :manage, :all
end end

View File

@ -19,6 +19,7 @@
<% end %> <% end %>
<%= link_to 'Payments', payments_path if can? :read, Payment %> <%= link_to 'Payments', payments_path if can? :read, Payment %>
<%= link_to 'Computers', macs_path if user_signed_in? || (can? :read, Mac) %> <%= link_to 'Computers', macs_path if user_signed_in? || (can? :read, Mac) %>
<%= link_to 'Settings', settings_path if can? :read, Setting %>
<% if user_signed_in? then %><%= link_to 'Profile', edit_user_registration_path %><% end %> <% if user_signed_in? then %><%= link_to 'Profile', edit_user_registration_path %><% end %>
<%= link_to 'Logout', destroy_user_session_path, :method => :delete if user_signed_in? %> <%= link_to 'Logout', destroy_user_session_path, :method => :delete if user_signed_in? %>
<%= link_to 'Login', new_user_session_path unless user_signed_in? %> <%= link_to 'Login', new_user_session_path unless user_signed_in? %>

View File

@ -8,11 +8,10 @@ $(function(){
<h3>Editing <%= @setting[:var].titleize %></h3> <h3>Editing <%= @setting[:var].titleize %></h3>
<div class="field"> <div class="field">
<%= text_area_tag :value, @setting[:value], :cols => 50, :class => "wysiwyg" %><br/> <%= text_area_tag :value, @setting[:value], :cols => 50, :class => "wysiwyg" %><br/>
<em>Use %{provider_name} or %{client_name} to include names in messages.</em>
</div> </div>
<div class="field"> <div class="field">
<%= submit_tag "Save", {:class => "wymupdate"} %><br/> <%= submit_tag "Save", {:class => "wymupdate"} %><br/>
<%= link_to "Back", settings_path %> <%= link_to "Back", settings_path %>
</div> </div>
<% end %> <% end %>

View File

@ -7,10 +7,10 @@
<% @settings.each do |setting| %> <% @settings.each do |setting| %>
<tr> <tr>
<td><%= setting.first.titleize %></td> <td><%= setting.first.titleize %></td>
<td>"<%= setting.last %>"</td> <td>"<%= setting.last.truncate(140) %>"</td>
<% if can? :update, setting %> <% if can? :update, setting %>
<td><%= link_to 'Edit', edit_setting_path(setting.first) %></td> <td><%= link_to 'Edit', edit_setting_path(setting.first) %></td>
<% end %> <% end %>
</tr> </tr>
<% end %> <% end %>
</table> </table>

View File

@ -1,29 +1,8 @@
@@default_settings = { @@default_settings = {
:welcome_title => "Welcome to the Hackerspace Members Site", #Welcome to the HeatSync Labs Members App. :welcome_title => "Welcome to the Hackerspace Members Site",
:welcome_body => "<p>We are a member-driven community workshop where you can learn, make cool stuff, meet other cool people, and make your city a better place to live!</p><p>You don't have to be a member to come visit, but if you're interested in volunteering or being a member, feel free to sign up here! For more information, <a href=\"/more_info\">Click Here</a>.</p>", # <p>You can sign up to become a member here!</p> :welcome_body => "<p>We are a member-driven community workshop where you can learn, make cool stuff, meet other cool people, and make your city a better place to live!</p><p>You don't have to be a member to come visit, but if you're interested in volunteering or being a member, feel free to sign up here! For more information, <a href=\"/more_info\">Click Here</a>.</p>",
:more_info_page => "No info here yet, bug a member about filling this part out!", :more_info_page => "No info here yet, bug a member about filling this part out!",
:member_resources_inset => "No info here yet, bug a member about filling this part out!" :member_resources_inset => "No info here yet, bug a member about filling this part out!"
# <ul>
# <li><%= link_to "Wiki", "http://wiki.heatsynclabs.org" %></li>
# <li><%= link_to "Discussion Group", "http://groups.google.com/group/heatsynclabs" %></li>
# <li><%= link_to "IRC", "irc://irc.freenode.net#heatsynclabs" %></li>
# <li><%= link_to "Live Webcams", "http://live.heatsynclabs.org/" %></li>
# <li>Lab Phone: (480) 751-1929</li>
# <li>
# <style type="text/css">
# form input {font-family: 'Lucida Console', Monaco, monospace; }
# </style>
# <b>Send a Message!</b>
# <form method="post" action="http://tweet.zyphon.com/signage.php">
# <em>Type here and your message will show up on the LED sign in the front window!</em><br/>
# <em>(Please be nice!)</em><br/>
# <input type="text" name="msg" id="msg" value=" Hello" size="9" /> (max 9 chars per line)<br/>
# <input type="text" name="msg2" id="msg2" value=" World" size="9" /><br/>
# <input type="submit" name="submitbutton" id="submitbutton" value="Go!" />
# </form>
# </li>
# </ul>
} }
if ActiveRecord::Base.connection.tables.include?('settings') and !defined?(::Rake) if ActiveRecord::Base.connection.tables.include?('settings') and !defined?(::Rake)