Updated permissions for deletion and styling for hidden items

2013-01-25 18:21:42 -07:00 · 2013-01-25 18:21:42 -07:00 · c547af5391
commit c547af5391
parent 3d00bbed03
5 changed files with 13 additions and 5 deletions
--- a/app/assets/stylesheets/scaffolds.css.scss
+++ b/app/assets/stylesheets/scaffolds.css.scss
@ -74,4 +74,4 @@ td, th { padding: 0.5em; }
 dt { font-weight: bold; }
 .notice { color: green; }
 .alert { color: red; }
-
+.hidden, .hidden a { color: #ccc; }
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -3,10 +3,11 @@ class Ability

  def initialize(user)
    if !user.nil?
+
      # By default, users can only see their own stuff
      can :read, Card, :user_id => user.id
      can :read, Certification
-      can :read, User, :id => user.id
+      can :read, User, :id => user.id #TODO: why can users update themselves?
      can :read, UserCertification, :user_id => user.id

      # Admins can manage all
@ -24,6 +25,13 @@ class Ability
        can :read, User, :hidden => [nil,false]
        can :read, UserCertification
      end 
+
+      # Prevent all destruction for now
+      cannot :destroy, User
+      cannot :destroy, Card
+      cannot :destroy, Certification
+      cannot :destroy, UserCertification
+      cannot :destroy, DoorLog
    end 
    # Define abilities for the passed in user here. For example:
    #
--- a/app/views/certifications/index.html.erb
+++ b/app/views/certifications/index.html.erb
@ -6,7 +6,7 @@
 <% @certifications.each do |certification| %>
  <li><%= link_to certification.name, certification %>
  <% if can? :update, certification %> | <%= link_to 'Edit', edit_certification_path(certification) %><% end %>
-  <% if can? :delete, certification %> | <%= link_to 'Destroy', certification, :confirm => 'Are you sure?', :method => :delete %><% end %>
+  <% if can? :destroy, certification %> | <%= link_to 'Destroy', certification, :confirm => 'Are you sure?', :method => :delete %><% end %>
  </li>
 <% end %>
 </ul>
--- a/app/views/user_certifications/show.html.erb
+++ b/app/views/user_certifications/show.html.erb
@ -21,5 +21,5 @@
 <%= link_to 'Edit', edit_user_certification_path(@user_certification) %> |
 <%= link_to 'Back', user_certifications_path %>
 <p>
-<%= link_to 'Destroy', @user_certification, :confirm => "Are you sure you want to destroy this user's certification?", :method => :delete %>
+<%= link_to 'Destroy', @user_certification, :confirm => "Are you sure you want to destroy this user's certification?", :method => :delete if can? :destroy, @user_certification %>
 </p>
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@ -31,7 +31,7 @@
  
 <% if !@users.blank? %>
  <% @users.each do |user| %>
-  <tr>
+  <tr<%= " class='hidden'" if user.hidden? %>>
    <td><%= link_to user.name, user %></td>
    <% if current_user.admin? then %><td><%= user.email %></td><% end %>
    <td><% user.certifications.each do |c| %>