summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/alerts_controller.rb10
-rw-r--r--app/controllers/servers_controller.rb10
-rw-r--r--app/controllers/tournaments_controller.rb10
3 files changed, 30 insertions, 0 deletions
diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb
index 873e9b7..9e37ec9 100644
--- a/app/controllers/alerts_controller.rb
+++ b/app/controllers/alerts_controller.rb
@@ -1,5 +1,6 @@
class AlertsController < ApplicationController
before_action :set_alert, only: [:show, :edit, :update, :destroy]
+ before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
# GET /alerts
# GET /alerts.json
@@ -67,6 +68,15 @@ class AlertsController < ApplicationController
@alert = Alert.find(params[:id])
end
+ def check_perms
+ unless (signed_in? and (current_user.in_group(:admin) or current_user.in_group(:host)))
+ respond_to do |format|
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
+ end
+ end
+ end
+
# Never trust parameters from the scary internet, only allow the white list through.
def alert_params
params.require(:alert).permit(:author_id, :message)
diff --git a/app/controllers/servers_controller.rb b/app/controllers/servers_controller.rb
index 7d54eb6..6d8ac75 100644
--- a/app/controllers/servers_controller.rb
+++ b/app/controllers/servers_controller.rb
@@ -1,5 +1,6 @@
class ServersController < ApplicationController
before_action :set_server, only: [:show, :edit, :update, :destroy]
+ before_action :check_perms
# GET /servers
# GET /servers.json
@@ -67,6 +68,15 @@ class ServersController < ApplicationController
@server = Server.find(params[:id])
end
+ def check_perms
+ unless (signed_in? and current_user.in_group(:admin))
+ respond_to do |format|
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
+ end
+ end
+ end
+
# Never trust parameters from the scary internet, only allow the white list through.
def server_params
params[:server]
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 5c53693..3f1c134 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -1,5 +1,6 @@
class TournamentsController < ApplicationController
before_action :set_tournament, only: [:show, :edit, :update, :destroy]
+ before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
# GET /tournaments
# GET /tournaments.json
@@ -69,6 +70,15 @@ class TournamentsController < ApplicationController
@tournament = Tournament.find(params[:id])
end
+ def check_perms
+ unless (signed_in? and current_user.in_group(:host))
+ respond_to do |format|
+ format.html { render action: 'permission_denied', status: :forbidden }
+ format.json { render json: "Permission denied", status: :forbidden }
+ end
+ end
+ end
+
# Never trust parameters from the scary internet, only allow the white list through.
def tournament_params
params.require(:tournament).permit(:game_id, :game)