Fixes theforeman#9687 - respect custom controller permissions

domcleal · May 1, 2015 · a63aa7c · a63aa7c
1 parent bd3a90f
commit a63aa7c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
@@ -35,9 +35,13 @@ def get_resource
       instance_variable_get :"@#{resource_name}" or raise 'no resource loaded'
     end
 
+    def controller_permission
+      controller_name
+    end
+
     # overwrites resource_scope in FindCommon to consider nested objects
     def resource_scope(options = {})
-      options[:association] ||= controller_name
+      options[:association] ||= controller_permission
       if nested_obj && nested_obj.respond_to?(options[:association])
         association = nested_obj.send(options[:association])
         if association.respond_to?(:authorized)

diff --git a/app/controllers/concerns/find_common.rb b/app/controllers/concerns/find_common.rb
@@ -19,7 +19,7 @@ def resource_class
 
   def resource_scope(options = {})
     @resource_scope ||= begin
-      options[:controller] ||= controller_name
+      options[:controller] ||= controller_permission
       options[:permission] ||= "#{action_permission}_#{options[:controller]}"
       scope = resource_class.scoped
       if resource_class.respond_to?(:authorized)