Fixed profile item authorization issue

app/controllers/profile_items_controller.rb

@@ -11,8 +11,12 @@ def show
   def edit
     #TODO : Security check required
     @profile_item = ProfileItem.find(params[:id])
-
-    render :partial => "/profile_items/edit/#{@profile_item.itemtype.to_s}" , :object => @profile_item
+
+    if @profile_item.check(:update_permission,session) == true # Check if accessing obj has edit permission   
+       render :partial => "/profile_items/edit/#{@profile_item.itemtype.to_s}" , :object => @profile_item
+    else
+       render :partial => "/profile_items/show/#{@profile_item.itemtype.to_s}" , :object => @profile_item 
+    end
   end
 
   # POST /profile_items
@@ -22,7 +26,7 @@ def create
 
     respond_to do |format|
       if @profile_item.save
-        flash[:notice] = 'ProfileItem was successfully created.'
+        #flash[:notice] = 'ProfileItem was successfully created.'
         format.html { redirect_to(@profile_item) }
         format.xml  { render :xml => @profile_item, :status => :created, :location => @profile_item }
       else
@@ -36,7 +40,7 @@ def create
   def update
     @profile_item = ProfileItem.find(params[:id])
 
-    if @profile_item.check(:update_permission,session) == false
+    if @profile_item.check(:update_permission,session) != true
       render :text => "Operation Not Permitted / Malicious Request" 
     return 
     end
@@ -45,7 +49,7 @@ def update
     @profile_item.content =  params[:content]
     @profile_item.active = true
       if @profile_item.save
-        flash[:notice] = 'ProfileItem was successfully updated.'
+        #flash[:notice] = 'ProfileItem was successfully updated.'
         render :partial => "/profile_items/show/#{@profile_item.itemtype.to_s}" , :object => @profile_item
       else
         render :partial => "/profile_items/edit/#{@profile_item.itemtype.to_s}" , :object => @profile_item

app/models/profile_item.rb

@@ -3,7 +3,7 @@ class ProfileItem < ActiveRecord::Base
 
   def check(permission, app_session)  
 
-      ar_obj = ProfileItem.get_obj_accessing(app_session)  
+      ar_obj = ProfileItem.get_obj_accessing(app_session) 
       return self.entity_that_has_profile.profile_items_access_permitted(ar_obj,permission)
   rescue
       false  

app/views/profile_items/_profile_item.html.haml

@@ -1,2 +1,6 @@
 .profile_item{:id=> "profile-item-#{profile_item.id}"}
-  = render :partial => "/profile_items/#{ (profile_item.new_record? || profile_item.content == nil ) ? 'edit' : 'show' }/#{profile_item.itemtype.to_s}" , :object => profile_item
+  - partial_to_be_rendered = "/profile_items/show/#{profile_item.itemtype.to_s}" #this is default
+  - if  profile_item.check(:update_permission,session) == true  && (profile_item.new_record? || profile_item.content == nil )
+    - partial_to_be_rendered = "/profile_items/edit/#{profile_item.itemtype.to_s}"
+
+  = render :partial => partial_to_be_rendered , :object => profile_item

lib/has_profile_items.rb

@@ -63,14 +63,14 @@ def profile_items_access_permitted(ar_obj,permission = :update_permission)
          permitted_ar_objects = Array.new
 
          method_symbols.each {|method_sym|
-           result_obj = ar_obj.send(method_sym.to_sym)
+           result_obj = self.send(method_sym.to_sym)
            if result_obj.is_a?(Array)
               permitted_ar_objects = permitted_ar_objects |  result_obj #merge with no duplicates
            else
               permitted_ar_objects << result_obj # single insert
            end
-           }
-                                                                
+           }                   
+
          return permitted_ar_objects.include? ar_obj 
       rescue
            false