From 4d7525bb3c626b6555e7eb35e7c95ed6b8bd9661 Mon Sep 17 00:00:00 2001
From: Bryan Larsen <bryan@larsen.st>
Date: Mon, 3 Jun 2013 16:38:26 +0200
Subject: [PATCH] project-permissions

How should this affect the permissions? Certain operations on the project should probably be restricted to its owner. We'll use the `owner_is?` helper (that Hobo provides for every `belongs_to` relationship) as it can save an extra database hit. So, edit these permission methods in the Project model:

SHOW_PATCH

Note that in the `create_permitted?` method, we assert that `owner_is? acting_user`. This is very often found in conjunction with `:creator => true`. Together, these mean that the current user can create their own projects only, and the "Owner" form field will be automatically removed from the new project form.
---
 app/models/project.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index a88bf44..5bce2d9 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -18,15 +18,15 @@ class Project < ActiveRecord::Base
   # --- Permissions --- #
 
   def create_permitted?
-    acting_user.administrator?
+    owner_is? acting_user
   end
 
   def update_permitted?
-    acting_user.administrator?
+    acting_user.administrator? || (owner_is?(acting_user) && !owner_changed?)
   end
 
   def destroy_permitted?
-    acting_user.administrator?
+    acting_user.administrator? || owner_is?(acting_user)
   end
 
   def view_permitted?(field)