Do not show delete to unauthorized. Fixes #11

eladmeidar · Jul 11, 2011 · 05c0cf8 · 05c0cf8
1 parent 5f1e171
commit 05c0cf8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/app/models/activity.rb b/app/models/activity.rb
@@ -225,14 +225,23 @@ def allow?(subject, action)
     when 'update'
       return true if contact.sender_id == Actor.normalize_id(subject)
     when 'destroy'
-      return true if [contact.sender_id, contact.receiver_id].include?(Actor.normalize_id(subject))
+      # We only allow destroying to sender and receiver by now
+      return [contact.sender_id, contact.receiver_id].include?(Actor.normalize_id(subject))
     end
 
     Relation.
       allow(subject, action, 'activity').
       where('relations.id' => relation_ids).
       any?
-   end
+  end
+
+  # Can subject delete the object of this activity?
+  def delete_object_by?(subject)
+    subject.present? &&
+    direct_object.present? &&
+      ! direct_object.is_a?(Actor) &&
+      allow?(subject, 'destroy')
+  end
 
   private
 

diff --git a/app/views/activities/_options.html.erb b/app/views/activities/_options.html.erb
@@ -5,7 +5,7 @@
     <li><div class="verb_comment"> · <%= link_to t('activity.to_comment'), "#", :class => "to_comment" %> </div></li>
     <% end %>
     <li><div class="verb_like" id="like_<%= dom_id(activity) %>"> · <%= link_like(activity)%></div></li>
-    <% if activity.direct_object.present? && !activity.direct_object.is_a?(Actor) %>
+    <% if activity.delete_object_by?(current_subject) %>
       <li><div class="verb_delete"> · <%= link_to t('activity.delete'), activity.direct_object , :confirm => t('confirm_delete', :scope => activity.direct_object.class.to_s.underscore), :method => :delete,  :remote => true %> </div></li>
     <% end %>
   </ul>