Skip to content
Browse files

Restricted unauthorized access to data.

Restricted access now that ownership is being tracked
 restrict access to editing internships, short term goals, long term goals, and viewing and editing of my guide data.
  • Loading branch information...
1 parent 4628524 commit 47920ae9a4dfce384f579521c83f89f577de0c12 @kcalmes kcalmes committed Nov 29, 2011
View
3 app/controllers/application_controller.rb
@@ -69,6 +69,9 @@ def current_user
end
def authenticate
+ #ADDRED FOR OFFLINE TESTING - UNCOMMENT LATER
+ cookies[:net_id] = 'kcalmes'
+
cookies[:page_redirect] = request.url
if not current_user
View
1 app/controllers/internships_controller.rb
@@ -167,6 +167,7 @@ def new
# GET /internships/1/edit
def edit
@internship = Internship.find(params[:id])
+ authorize! :update, @internship
end
# POST /internships
View
5 app/controllers/pages_controller.rb
@@ -8,6 +8,11 @@ def index
def myguide
@myguide_user_id = params[:myguide_user_id]
+ if params[:format] == 'json'
+ puts "Calling JSON"
+ end
+ authorize! :myguide, :pages, @myguide_user_id if params[:format] != 'json'
+
#authorize! :view, :myguide
#respond_to do |format|
# format.html { render :layout => 'layouts/myguide' } # myguide.html.erb
View
40 app/models/ability.rb
@@ -2,7 +2,7 @@ class Ability
include CanCan::Ability
def initialize(user)
- puts user.net_id
+ puts "Current Users NetId: #{user.net_id} (Called from ability file)"
user ||= User.new # guest user (not logged in)
if user.has_role ['admin']
can :manage, :all
@@ -11,31 +11,59 @@ def initialize(user)
can :index, :pages
can :index, :map
can :map, :pages
+ can :myguide, :pages
can :dashboard, :internships
#can :index, :internships
- can :manage, :internships
+ #can :manage, :internships
can :manage, :academic_contacts
can :manage, :fields
can :manage, :financial_assistance_options
can :manage, :financial_assistance_option_types
can :manage, :industries
- can :manage, :internships
+
+ can :read, :internships
+ can :create, :internships
+ can :update, :internships
+ can :update, Internship do |internship|
+ internship.user == user
+ end
can :manage, :locations
can :manage, :providers
can :manage, :provider_contacts
- #can :manage, LongTermGoal
- #can :manage, ShortTermGoal
+
+ can :create, :long_term_goals
+ can :update, LongTermGoal do |long_term_goal|
+ long_term_goal.user == user
+ end
+
+ can :read, :short_term_goals
+ can :create, :short_term_goals
+ can :update, :short_term_goals
+ can :update, ShortTermGoal do |short_term_goal|
+ short_term_goal.user == user
+ end
+
+ can :manage, :myguide
+
+ can :read, :students
elsif user.has_role ['student']
can :index, :pages
can :index, :map
can :map, :pages
- #can :myguide, :pages
+ can :myguide, :pages
+ can :myguide, :pages do |controller, my_guide_id|
+ my_guide_id.to_i == user.id.to_i
+ end
+
+
can :read, :internships
can :read, :long_term_goals
can :read, :short_term_goals
+ can :make, :advisement_appointment
+
else
cannot :read, :all
end
View
10 app/views/internships/_form.html.erb
@@ -232,19 +232,21 @@
<%= f.text_area :notes, :class => 'tiny_editor' %>
</div>
<% end %>
- <%= theme_box(8, "Ownership", true) do %>
- <% if can? :manage, :users %>
+
+ <% if can? :manage, :users %>
+ <%= theme_box(8, "Ownership", true) do %>
<div class="field">
<label>Net Id</label>
<div class="input_group">
<%= f.collection_select :user_id, User.all, :id, :net_id, {:selected => @internship.user.id} %>
</div>
</div>
- <% else %>
- <%= f.hidden_field :user_id %>
<% end %>
+ <% else %>
+ <%= f.hidden_field :user_id %>
<% end %>
+
<% end %>
<script>
$(function(){
View
3 app/views/internships/index.html.erb
@@ -12,6 +12,9 @@
</thead>
<tbody>
<% @internships.each do |internship| %>
+ <% if cannot? :edit, internship %>
+ <% next %>
+ <% end %>
<tr>
<td><%= internship.name %></td>
<td><%= internship.provider.name %></td>
View
3 app/views/long_term_goals/index.html.erb
@@ -14,6 +14,9 @@
<tbody>
<% @long_term_goals.each do |long_term_goal| %>
+ <% if cannot? :edit, long_term_goal %>
+ <% next %>
+ <% end %>
<tr>
<td><%= long_term_goal.name %></td>
<td><%= raw long_term_goal.description.gsub!(/(<[^>]*>)|\n|\t/s) {" "} %></td>
View
12 app/views/pages/index.html.erb
@@ -37,42 +37,42 @@
</button>
<% end %>
<% end %>
- <% if @current_user.has_role ['student'] %>
+ <% if can? :make, :advisement_appointment %>
<%= link_to nil do %>
<button class="skin_colour round_all">
<span>Make an Advisement Appointment</span>
</button>
<% end %>
<% end %>
- <% if can? :manage, :short_term_goals %>
+ <% if can? :read, :students %>
<%= link_to students_path do %>
<button class="skin_colour round_all">
<span>See Students</span>
</button>
<% end %>
<% end %>
- <% if can? :manage, :short_term_goals %>
+ <% if can? :update, :short_term_goals %>
<%= link_to short_term_goals_path do %>
<button class="skin_colour round_all">
<span>Edit Short Term Goals</span>
</button>
<% end %>
<% end %>
- <% if can? :manage, :short_term_goals %>
+ <% if can? :create, :short_term_goals %>
<%= link_to new_short_term_goal_path do %>
<button class="skin_colour round_all">
<span>Add Short Term Goal</span>
</button>
<% end %>
<% end %>
- <% if can? :manage, :internships %>
+ <% if can? :update, :internships %>
<%= link_to internships_path do %>
<button class="skin_colour round_all">
<span>Edit Internships</span>
</button>
<% end %>
<% end %>
- <% if can? :manage, :internships %>
+ <% if can? :create, :internships %>
<%= link_to new_internship_path do %>
<button class="skin_colour round_all">
<span>Add Internship</span>
View
20 app/views/pages/myguide.html.erb
@@ -1,11 +1,13 @@
<div class="flat_area grid_16">
<h2>MyGuide</h2>
-
<div id="myguide" class="container_24" user_id="<%= @myguide_user_id %>">
<div id="header" class=""><!--My Guide--></div>
-
- <div class="grid_4 year"></div>
+ <div class="grid_4 year">
+ <% if can? :manage, :myguide %>
+ <%= select_tag :active_user, options_from_collection_for_select(User.order(:net_id), :id, :net_id, @myguide_user_id) %>
+ <% end %>
+ </div>
<div class="grid_5">
<div class="button year">FIRST YEAR</div>
<div class="progressbar year1"></div>
@@ -40,4 +42,14 @@
<div id="progressbar" class="grid_24"></div>
</div>
-</div>
+</div>
+<style>
+#active_user{
+ width: 100%;
+}
+</style>
+<script>
+ $('#active_user').change(function(){
+ location.href = '/myguide/'+$(this).attr('value');
+ });
+</script>
View
3 app/views/short_term_goals/index.html.erb
@@ -15,6 +15,9 @@
<tbody>
<% @short_term_goals.each do |short_term_goal| %>
+ <% if cannot? :edit, short_term_goal %>
+ <% next %>
+ <% end %>
<tr>
<td><%= short_term_goal.name %></td>
<td><%= short_term_goal.description %></td>

0 comments on commit 47920ae

Please sign in to comment.
Something went wrong with that request. Please try again.