部分接口添加权限验证接口、新闻详情及对应评论接口

11 years ago · 7f9386180d
parent df18eac875
commit 7f9386180d
4 changed files with 35 additions and 7 deletions
--- a/app/api/mobile/apis/courses.rb
+++ b/app/api/mobile/apis/courses.rb
@ -95,7 +95,9 @@ module Mobile
        end
        route_param :id do
          get do
-            course = Course.find(params[:id])
+            cs = CoursesService.new
+            course = cs.show_course params,current_user
+            #course = Course.find(params[:id])
            {status: 0, data: course}
          end
        end
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@ -87,8 +87,10 @@ class NewsController < ApplicationController
   end

  def show
-    @comments = @news.comments
-    @comments.reverse! if User.current.wants_comments_in_reverse_order?
+    cs = CoursesService.new
+    @news,@comments = cs.show_course_news params,User.current
+    #@comments = @news.comments
+    #@comments.reverse! if User.current.wants_comments_in_reverse_order?
    #modify by nwb
    if @news.course_id
      @course = Course.find(@news.course_id)
--- a/app/services/courses_service.rb
+++ b/app/services/courses_service.rb
@ -83,13 +83,29 @@ class CoursesService
    scope = @course ? @course.news.course_visible : News.course_visible
  end

-  #显示课程通知
-  def show_course_news
+  #查看新闻权限验证
+  def show_course_news_authorize(current_user,course)
+    unless current_user.allowed_to?({:controller => 'news', :action => 'show'}, course)
+      raise '403'
+    end
+  end

+  #显示课程通知(包括评论) 需验证权限
+  def show_course_news params,current_user
+    @news = News.find(params[:id])
+    @comments = @news.comments
+    @comments.reverse! if current_user.wants_comments_in_reverse_order?
+    [@news,@comments]
  end

-  def show_course params
+
+
+  #显示课程
+  def show_course(params,currnet_user)
    course = Course.find(params[:id])
+    unless (course.is_public == 1 ||  currnet_user.member_of_course?(@course)|| currnet_user.admin?)
+      raise '403'
+    end
    course
  end

@ -128,7 +144,14 @@ class CoursesService
    @course
  end

-  #编辑课程
+  #验证编辑课程的权限
+  def edit_course_authorize(current_user,course)
+    unless current_user.allowed_to?({:controller => 'courses', :action => 'update'}, course)
+      raise '403'
+    end
+  end
+
+  #编辑课程  需验证权限
  def edit_course params,course
    course.safe_attributes = params[:course]
    course.time = params[:time]
--- a/app/services/users_service.rb
+++ b/app/services/users_service.rb
@ -59,6 +59,7 @@ class UsersService
  end

  #编辑用户
+  #gender 1：female 0：male 其他：male
  def edit_user params
    @user = User.find(params[:id])
    fileio = params[:file]