summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/tournaments_controller.rb40
-rw-r--r--app/controllers/users_controller.rb2
-rw-r--r--app/models/user.rb4
3 files changed, 25 insertions, 21 deletions
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 5155a4f..913ca52 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -1,6 +1,8 @@
class TournamentsController < ApplicationController
- before_action :set_tournament, only: [:show, :edit, :update, :destroy, :join]
- before_action :check_perms, only: [:new, :create, :edit, :destroy]
+ # put #update in with before_show, because in special cases the
+ # permissions are relaxed, so we do that right in the #update method
+ before_action :before_show, only: [:show, :update]
+ before_action :before_edit, only: [:new, :create, :edit, :destroy]
# GET /tournaments
# GET /tournaments.json
@@ -53,9 +55,8 @@ class TournamentsController < ApplicationController
# PATCH/PUT /tournaments/1
# PATCH/PUT /tournaments/1.json
def update
-
if params[:update_action].nil?
- check_perms
+ before_edit
respond_to do |format|
if @tournament.update(tournament_params)
format.html { redirect_to @tournament, notice: 'Tournament was successfully updated.' }
@@ -72,18 +73,20 @@ class TournamentsController < ApplicationController
if @tournament.join(current_user)
format.html { render action: 'show', notice: 'You have joined this tournament.' }
format.json { head :no_content }
+ else
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
end
- format.html { render action: 'permission_denied', status: :forbidden }
- format.json { render json: "Permission denied", status: :forbidden }
end
when "open"
respond_to do |format|
if @tournament.setup
- format.html { render action: 'show', notice: 'You have joined this tournament.' }
+ format.html { render action: 'show', notice: 'You have opend this tournament.' }
format.json { head :no_content }
+ else
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
end
- format.html { render action: 'permission_denied', status: :forbidden }
- format.json { render json: "Permission denied", status: :forbidden }
end
#when "close"
# TODO
@@ -108,18 +111,19 @@ class TournamentsController < ApplicationController
private
# Use callbacks to share common setup or constraints between actions.
- def set_tournament
+ def before_show
@tournament = Tournament.find(params[:id])
end
- def check_perms
- unless (signed_in? and current_user.in_group?(:host))
- respond_to do |format|
- format.html { render action: 'permission_denied', status: :forbidden }
- format.json { render json: "Permission denied", status: :forbidden }
- end
- end
- end
+ def before_edit
+ @tournament = Tournament.find(params[:id])
+ unless (signed_in? and (@tournament.hosts.include?(current_user) or current_user.in_group?(:admin)))
+ respond_to do |format|
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
+ end
+ end
+ end
# Never trust parameters from the scary internet, only allow the white list through.
def tournament_params
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 907958b..70facca 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -28,7 +28,7 @@ class UsersController < ApplicationController
# POST /users.json
def create
@user = User.new(user_params)
-
+ @user.groups = 0
respond_to do |format|
if @user.save
sign_in @user
diff --git a/app/models/user.rb b/app/models/user.rb
index fa07b60..4d6902a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,6 +1,6 @@
class User < ActiveRecord::Base
- has_and_belongs_to_many :tournaments_played, class_name: "Tournament", foreign_key: "tournament_id", join_table: "players_tournaments"
- has_and_belongs_to_many :tournaments_hosted, class_name: "Tournament", foreign_key: "tournament_id", join_table: "hosts_tournaments"
+ has_and_belongs_to_many :tournaments_played, class_name: "Tournament", foreign_key: "player_id", join_table: "players_tournaments"
+ has_and_belongs_to_many :tournaments_hosted, class_name: "Tournament", foreign_key: "host_id", join_table: "hosts_tournaments"
before_save { self.email = email.downcase }
before_save { self.user_name = user_name }