From 526bff770017a1f6a66e45b5b6e61840711078b8 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Wed, 5 Mar 2014 22:53:41 -0500 Subject: add access control to the controllers for alerts, servers, and tournaments --- app/controllers/alerts_controller.rb | 10 ++++++++++ app/controllers/servers_controller.rb | 10 ++++++++++ app/controllers/tournaments_controller.rb | 10 ++++++++++ 3 files changed, 30 insertions(+) diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb index 873e9b7..9e37ec9 100644 --- a/app/controllers/alerts_controller.rb +++ b/app/controllers/alerts_controller.rb @@ -1,5 +1,6 @@ class AlertsController < ApplicationController before_action :set_alert, only: [:show, :edit, :update, :destroy] + before_action :check_perms, only: [:new, :create, :edit, :update, :destroy] # GET /alerts # GET /alerts.json @@ -67,6 +68,15 @@ class AlertsController < ApplicationController @alert = Alert.find(params[:id]) end + def check_perms + unless (signed_in? and (current_user.in_group(:admin) or current_user.in_group(:host))) + respond_to do |format| + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } + end + end + end + # Never trust parameters from the scary internet, only allow the white list through. def alert_params params.require(:alert).permit(:author_id, :message) diff --git a/app/controllers/servers_controller.rb b/app/controllers/servers_controller.rb index 7d54eb6..6d8ac75 100644 --- a/app/controllers/servers_controller.rb +++ b/app/controllers/servers_controller.rb @@ -1,5 +1,6 @@ class ServersController < ApplicationController before_action :set_server, only: [:show, :edit, :update, :destroy] + before_action :check_perms # GET /servers # GET /servers.json @@ -67,6 +68,15 @@ class ServersController < ApplicationController @server = Server.find(params[:id]) end + def check_perms + unless (signed_in? and current_user.in_group(:admin)) + respond_to do |format| + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } + end + end + end + # Never trust parameters from the scary internet, only allow the white list through. def server_params params[:server] diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb index 5c53693..3f1c134 100644 --- a/app/controllers/tournaments_controller.rb +++ b/app/controllers/tournaments_controller.rb @@ -1,5 +1,6 @@ class TournamentsController < ApplicationController before_action :set_tournament, only: [:show, :edit, :update, :destroy] + before_action :check_perms, only: [:new, :create, :edit, :update, :destroy] # GET /tournaments # GET /tournaments.json @@ -69,6 +70,15 @@ class TournamentsController < ApplicationController @tournament = Tournament.find(params[:id]) end + def check_perms + unless (signed_in? and current_user.in_group(:host)) + respond_to do |format| + format.html { render action: 'permission_denied', status: :forbidden } + format.json { render json: "Permission denied", status: :forbidden } + end + end + end + # Never trust parameters from the scary internet, only allow the white list through. def tournament_params params.require(:tournament).permit(:game_id, :game) -- cgit v1.2.3-2-g168b