From 526bff770017a1f6a66e45b5b6e61840711078b8 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <LukeShu@sbcglobal.net>
Date: Wed, 5 Mar 2014 22:53:41 -0500
Subject: add access control to the controllers for alerts, servers, and
 tournaments

---
 app/controllers/alerts_controller.rb      | 10 ++++++++++
 app/controllers/servers_controller.rb     | 10 ++++++++++
 app/controllers/tournaments_controller.rb | 10 ++++++++++
 3 files changed, 30 insertions(+)

diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb
index 873e9b7..9e37ec9 100644
--- a/app/controllers/alerts_controller.rb
+++ b/app/controllers/alerts_controller.rb
@@ -1,5 +1,6 @@
 class AlertsController < ApplicationController
   before_action :set_alert, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
 
   # GET /alerts
   # GET /alerts.json
@@ -67,6 +68,15 @@ class AlertsController < ApplicationController
       @alert = Alert.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and (current_user.in_group(:admin) or current_user.in_group(:host)))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def alert_params
       params.require(:alert).permit(:author_id, :message)
diff --git a/app/controllers/servers_controller.rb b/app/controllers/servers_controller.rb
index 7d54eb6..6d8ac75 100644
--- a/app/controllers/servers_controller.rb
+++ b/app/controllers/servers_controller.rb
@@ -1,5 +1,6 @@
 class ServersController < ApplicationController
   before_action :set_server, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms
 
   # GET /servers
   # GET /servers.json
@@ -67,6 +68,15 @@ class ServersController < ApplicationController
       @server = Server.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and current_user.in_group(:admin))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def server_params
       params[:server]
diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 5c53693..3f1c134 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -1,5 +1,6 @@
 class TournamentsController < ApplicationController
   before_action :set_tournament, only: [:show, :edit, :update, :destroy]
+  before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
 
   # GET /tournaments
   # GET /tournaments.json
@@ -69,6 +70,15 @@ class TournamentsController < ApplicationController
       @tournament = Tournament.find(params[:id])
     end
 
+	def check_perms
+		unless (signed_in? and current_user.in_group(:host))
+			respond_to do |format|
+				format.html { render action: 'permission_denied', status: :forbidden }
+				format.json { render json: "Permission denied", status: :forbidden }
+			end
+		end
+	end
+
     # Never trust parameters from the scary internet, only allow the white list through.
     def tournament_params
       params.require(:tournament).permit(:game_id, :game)
-- 
cgit v1.2.3-2-g168b