diff options
-rw-r--r-- | app/controllers/tournaments_controller.rb | 40 | ||||
-rw-r--r-- | app/controllers/users_controller.rb | 2 | ||||
-rw-r--r-- | app/models/user.rb | 4 |
3 files changed, 25 insertions, 21 deletions
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb index 5155a4f..913ca52 100644 --- a/app/controllers/tournaments_controller.rb +++ b/app/controllers/tournaments_controller.rb @@ -1,6 +1,8 @@ class TournamentsController < ApplicationController - before_action :set_tournament, only: [:show, :edit, :update, :destroy, :join] - before_action :check_perms, only: [:new, :create, :edit, :destroy] + # put #update in with before_show, because in special cases the + # permissions are relaxed, so we do that right in the #update method + before_action :before_show, only: [:show, :update] + before_action :before_edit, only: [:new, :create, :edit, :destroy] # GET /tournaments # GET /tournaments.json @@ -53,9 +55,8 @@ class TournamentsController < ApplicationController # PATCH/PUT /tournaments/1 # PATCH/PUT /tournaments/1.json def update - if params[:update_action].nil? - check_perms + before_edit respond_to do |format| if @tournament.update(tournament_params) format.html { redirect_to @tournament, notice: 'Tournament was successfully updated.' } @@ -72,18 +73,20 @@ class TournamentsController < ApplicationController if @tournament.join(current_user) format.html { render action: 'show', notice: 'You have joined this tournament.' } format.json { head :no_content } + else + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } end - format.html { render action: 'permission_denied', status: :forbidden } - format.json { render json: "Permission denied", status: :forbidden } end when "open" respond_to do |format| if @tournament.setup - format.html { render action: 'show', notice: 'You have joined this tournament.' } + format.html { render action: 'show', notice: 'You have opend this tournament.' } format.json { head :no_content } + else + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } end - format.html { render action: 'permission_denied', status: :forbidden } - format.json { render json: "Permission denied", status: :forbidden } end #when "close" # TODO @@ -108,18 +111,19 @@ class TournamentsController < ApplicationController private # Use callbacks to share common setup or constraints between actions. - def set_tournament + def before_show @tournament = Tournament.find(params[:id]) end - def check_perms - unless (signed_in? and current_user.in_group?(:host)) - respond_to do |format| - format.html { render action: 'permission_denied', status: :forbidden } - format.json { render json: "Permission denied", status: :forbidden } - end - end - end + def before_edit + @tournament = Tournament.find(params[:id]) + unless (signed_in? and (@tournament.hosts.include?(current_user) or current_user.in_group?(:admin))) + respond_to do |format| + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } + end + end + end # Never trust parameters from the scary internet, only allow the white list through. def tournament_params diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 907958b..70facca 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -28,7 +28,7 @@ class UsersController < ApplicationController # POST /users.json def create @user = User.new(user_params) - + @user.groups = 0 respond_to do |format| if @user.save sign_in @user diff --git a/app/models/user.rb b/app/models/user.rb index fa07b60..4d6902a 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,6 +1,6 @@ class User < ActiveRecord::Base - has_and_belongs_to_many :tournaments_played, class_name: "Tournament", foreign_key: "tournament_id", join_table: "players_tournaments" - has_and_belongs_to_many :tournaments_hosted, class_name: "Tournament", foreign_key: "tournament_id", join_table: "hosts_tournaments" + has_and_belongs_to_many :tournaments_played, class_name: "Tournament", foreign_key: "player_id", join_table: "players_tournaments" + has_and_belongs_to_many :tournaments_hosted, class_name: "Tournament", foreign_key: "host_id", join_table: "hosts_tournaments" before_save { self.email = email.downcase } before_save { self.user_name = user_name } |