@@ -70,7 +70,7 @@ class ApplicationController < ActionController::Base next unless (l[0] == :all) || (l[0] == :non_user && !@u) || (l[0] == :user && @u) || - (l[0] == :owner && @p && @p.id==(params[:profile_id] || params[:id]).to_i) + (l[0] == :owner && @p && @profile && @p == @profile) args = l[1] @level = [] and return true if args[:all] == true app/controllers/application.rb @@ -1,5 +1,6 @@ class BlogsController < ApplicationController skip_filter :login_required, :only => [:index, :show] + prepend_before_filter :get_profile before_filter :setup @@ -70,8 +71,11 @@ class BlogsController < ApplicationController protected - def setup + def get_profile @profile = Profile[params[:profile_id]] + end + + def setup @user = @profile.user @blogs = @profile.blogs.paginate(:page => @page, :per_page => @per_page) app/controllers/blogs_controller.rb @@ -1,5 +1,6 @@ class PhotosController < ApplicationController skip_filter :login_required + prepend_before_filter :get_profile before_filter :setup @@ -54,9 +55,11 @@ class PhotosController < ApplicationController super :all, :only => [:index, :show] end + def get_profile + @profile = Profile[params[:profile_id] || params[:id]] + end def setup - @profile = Profile[params[:profile_id] || params[:id]] @user = @profile.user @photos = @profile.photos.paginate(:all, :page => @page, :per_page => @per_page) @photo = Photo.new app/controllers/photos_controller.rb @@ -1,6 +1,6 @@ class ProfilesController < ApplicationController include ApplicationHelper - + prepend_before_filter :get_profile, :except => [:new, :create, :index, :search] before_filter :setup, :except => [:index, :search] before_filter :search_results, :only => [:index, :search] skip_filter :login_required, :only=>[:show, :index, :feed, :search] @@ -106,8 +106,11 @@ class ProfilesController < ApplicationController super :all, :only => [:show, :index, :search] end - def setup + def get_profile @profile = Profile[params[:id]] + end + + def setup @user = @profile.user end app/controllers/profiles_controller.rb @@ -54,7 +54,6 @@ class ProfilesControllerTest < ActionController::TestCase end should_not_assign_to :user - should_not_assign_to :profile should_respond_with :redirect should_redirect_to 'login_path' should_not_set_the_flash test/functional/profiles_controller_test.rb 9ca0a5271fd97e9128fcaa6a10fdd514b1fa1674 Matthew Peychich mpeychich@mac.com http://github.com/stevenbristol/lovd-by-less/commit/e279286807cb7b8691ca25bac323e5572e315e17 e279286807cb7b8691ca25bac323e5572e315e17 2008-05-01T11:52:59-07:00 2008-05-01T11:52:59-07:00 Improve the :owner permissions for allow_to 6355e04fe288ece9a6694c0e4516e3369b835b20 Matthew Peychich mpeychich@mac.com