Permalink
Browse files

Only auto-subscribe to threads if the user has permission to read the…

… thread.
  • Loading branch information...
1 parent dd2fff3 commit 586aad820b98d839f302231179b6283121704a2a @gravitystorm gravitystorm committed May 16, 2012
Showing with 10 additions and 2 deletions.
  1. +10 −2 app/controllers/message_threads_controller.rb
@@ -61,7 +61,11 @@ def subscribe_group_users(thread)
pref = t[:involve_my_groups].eq("subscribe")
constraint = thread.issue ? pref : pref.and(t[:involve_my_groups_admin].eq(true))
members = thread.group.members.active.joins(:prefs).where(constraint)
- members.each{ |member| thread.subscriptions.create(user: member) unless member.subscribed_to_thread?(thread) }
+ members.each do |member|
+ if Authorization::Engine.instance.permit? :show, { object: thread, user: member }
+ thread.subscriptions.create(user: member) unless member.subscribed_to_thread?(thread)
+ end
+ end
end
def subscribe_issue_users(thread)
@@ -72,6 +76,10 @@ def subscribe_issue_users(thread)
where(user_prefs: {involve_my_locations: "subscribe"}).
all
- locations.each{ |loc| thread.subscriptions.create(user: loc.user) unless loc.user.subscribed_to_thread?(thread) }
+ locations.each do |loc|
+ if Authorization::Engine.instance.permit? :show, { object: thread, user: loc.user }
+ thread.subscriptions.create(user: loc.user) unless loc.user.subscribed_to_thread?(thread)
+ end
+ end
end
end

0 comments on commit 586aad8

Please sign in to comment.