Skip to content
Browse files

Do not show delete to unauthorized. Fixes #11

  • Loading branch information...
1 parent 5f1e171 commit 05c0cf8bbebc81011aaa2d28c6b575265689069e @atd atd committed Jul 11, 2011
Showing with 12 additions and 3 deletions.
  1. +11 −2 app/models/activity.rb
  2. +1 −1 app/views/activities/_options.html.erb
View
13 app/models/activity.rb
@@ -225,14 +225,23 @@ def allow?(subject, action)
when 'update'
return true if contact.sender_id == Actor.normalize_id(subject)
when 'destroy'
- return true if [contact.sender_id, contact.receiver_id].include?(Actor.normalize_id(subject))
+ # We only allow destroying to sender and receiver by now
+ return [contact.sender_id, contact.receiver_id].include?(Actor.normalize_id(subject))
end
Relation.
allow(subject, action, 'activity').
where('relations.id' => relation_ids).
any?
- end
+ end
+
+ # Can subject delete the object of this activity?
+ def delete_object_by?(subject)
+ subject.present? &&
+ direct_object.present? &&
+ ! direct_object.is_a?(Actor) &&
+ allow?(subject, 'destroy')
+ end
private
View
2 app/views/activities/_options.html.erb
@@ -5,7 +5,7 @@
<li><div class="verb_comment"> · <%= link_to t('activity.to_comment'), "#", :class => "to_comment" %> </div></li>
<% end %>
<li><div class="verb_like" id="like_<%= dom_id(activity) %>"> · <%= link_like(activity)%></div></li>
- <% if activity.direct_object.present? && !activity.direct_object.is_a?(Actor) %>
+ <% if activity.delete_object_by?(current_subject) %>
<li><div class="verb_delete"> · <%= link_to t('activity.delete'), activity.direct_object , :confirm => t('confirm_delete', :scope => activity.direct_object.class.to_s.underscore), :method => :delete, :remote => true %> </div></li>
<% end %>
</ul>

0 comments on commit 05c0cf8

Please sign in to comment.
Something went wrong with that request. Please try again.