修改一些删除权限问题

12 years ago · f0b6c33217
parent b06abd0b83
commit f0b6c33217
2 changed files with 15 additions and 2 deletions
--- a/app/controllers/memos_controller.rb
+++ b/app/controllers/memos_controller.rb
@ -3,6 +3,8 @@ class MemosController < ApplicationController
  before_filter :find_forum, :only => [:new, :preview]
  before_filter :find_attachments, :only => [:preview]
  before_filter :find_memo, :except => [:new, :create , :preview, :update]
+  before_filter :authenticate_user_edit, :only => [:edit, :update]
+  before_filter :authenticate_user_destroy, :only => [:destroy]
  
  helper :attachments
  include AttachmentsHelper
@ -144,4 +146,15 @@ class MemosController < ApplicationController
    render_404
    nil
  end
+
+  def authenticate_user_edit
+    find_memo
+    render_403 unless @memo.editable_by? User.current
+  end
+
+  def authenticate_user_destroy
+    find_memo
+    render_403 unless @memo.destroyable_by? User.current
+    
+  end
 end
--- a/app/models/memo.rb
+++ b/app/models/memo.rb
@ -85,11 +85,11 @@ class Memo < ActiveRecord::Base
 	
 	def editable_by? user
 		# user && user.logged? || (self.author == usr && usr.allowed_to?(:edit_own_messages, project))
-		(user && self.author == user && !self.lock || user.admin?) && true
+		user.admin?
 	end

 	def destroyable_by? user
-		user.admin?
+		user && user.logged? && Forum.find(self.forum_id).creator_id == user.id || user.admin?
 		#self.author == user || user.admin?
 	end