security, user index
This commit is contained in:
jomo
@@ -10,20 +10,26 @@ class BlogpostsController < ApplicationController
|
||||
end
|
||||
|
||||
def new
|
||||
@post = Blogpost.new
|
||||
if current_user && current_user.rank >= rank_to_int("mod")
|
||||
@post = Blogpost.new
|
||||
else
|
||||
flash[:alert] = "You are not allowed to create a new post!"
|
||||
redirect_to blogposts_path
|
||||
end
|
||||
end
|
||||
|
||||
# GET /blogposts/1/edit
|
||||
def edit
|
||||
@post = Blogpost.find(params[:id])
|
||||
@post = Blogpost.find(params[:id])
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @edit.user))
|
||||
else
|
||||
flash[:alert] = "You are not allowed to update this post!"
|
||||
end
|
||||
end
|
||||
|
||||
# POST /blogposts
|
||||
# POST /blogposts.json
|
||||
def create
|
||||
if current_user && current_user.rank >= rank_to_int("mod")
|
||||
@post = Blogpost.new(params[:blogpost])
|
||||
@post.user_id = current_user.id unless current_user.nil?
|
||||
@post.user = current_user
|
||||
if @post.save
|
||||
redirect_to @post, notice: 'Post has been created.'
|
||||
else
|
||||
@@ -35,24 +41,29 @@ class BlogpostsController < ApplicationController
|
||||
end
|
||||
end
|
||||
|
||||
# PUT /blogposts/1
|
||||
# PUT /blogposts/1.json
|
||||
def update
|
||||
@post = Blogpost.find(params[:id])
|
||||
|
||||
if @post.update_attributes(params[:blogpost])
|
||||
redirect_to @post, notice: 'Post has been updated.'
|
||||
else
|
||||
render action: "edit"
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
|
||||
if @post.update_attributes(params[:blogpost])
|
||||
redirect_to @post, notice: 'Post has been updated.'
|
||||
else
|
||||
flash[:alert] = "There was a problem while updating the post"
|
||||
render action: "edit"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# DELETE /blogposts/1
|
||||
# DELETE /blogposts/1.json
|
||||
def destroy
|
||||
@post = Blogpost.find(params[:id])
|
||||
@post.destroy
|
||||
|
||||
redirect_to blog_url
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
|
||||
if @post.destroy
|
||||
flash[:notice] = "Post deleted!"
|
||||
else
|
||||
flash[:alert] = "There was a problem while deleting this Post"
|
||||
end
|
||||
else
|
||||
flash[:alert] = "You are not allowed to delete this Post"
|
||||
end
|
||||
redirect_to blogpots_path
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,50 +1,23 @@
|
||||
class CommentsController < ApplicationController
|
||||
# GET /comments
|
||||
# GET /comments.json
|
||||
def index
|
||||
@comments = Comment.all
|
||||
|
||||
respond_to do |format|
|
||||
format.html # index.html.erb
|
||||
format.json { render json: @comments }
|
||||
end
|
||||
end
|
||||
|
||||
# GET /comments/1
|
||||
# GET /comments/1.json
|
||||
def show
|
||||
@comment = Comment.find(params[:id])
|
||||
|
||||
respond_to do |format|
|
||||
format.html # show.html.erb
|
||||
format.json { render json: @comment }
|
||||
end
|
||||
end
|
||||
|
||||
# GET /comments/new
|
||||
# GET /comments/new.json
|
||||
def new
|
||||
@comment = Comment.new
|
||||
|
||||
respond_to do |format|
|
||||
format.html # new.html.erb
|
||||
format.json { render json: @comment }
|
||||
end
|
||||
end
|
||||
|
||||
# GET /comments/1/edit
|
||||
def edit
|
||||
@comment = Comment.find(params[:id])
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
|
||||
@comment = Comment.find(params[:id])
|
||||
session[:return_to] = blogpost_path(@comment.blogpost)
|
||||
else
|
||||
flash[:alert] = "You are not allowed to edit this comment"
|
||||
redirect_to @comment.blogpost
|
||||
end
|
||||
end
|
||||
|
||||
# POST /comments
|
||||
# POST /comments.json
|
||||
def create
|
||||
@comment = Comment.new(params[:comment])
|
||||
@comment.user_id = current_user.id
|
||||
@comment.blogpost = Blogpost.find(params[:blogpost_id])
|
||||
if current_user
|
||||
@comment = Comment.new(params[:comment])
|
||||
@comment.user_id = current_user.id
|
||||
@comment.blogpost = Blogpost.find(params[:blogpost_id])
|
||||
if @comment.save
|
||||
redirect_to @comment.blogpost, notice: 'Comment was successfully created.'
|
||||
redirect_to @comment.blogpost, notice: 'Comment created!'
|
||||
else
|
||||
flash[:alert] = "There was a problem while saving your comment"
|
||||
redirect_to blogpost_path(params[:blogpost_id])
|
||||
@@ -52,30 +25,34 @@ class CommentsController < ApplicationController
|
||||
end
|
||||
end
|
||||
|
||||
# PUT /comments/1
|
||||
# PUT /comments/1.json
|
||||
def update
|
||||
@comment = Comment.find(params[:id])
|
||||
|
||||
respond_to do |format|
|
||||
if @comment.update_attributes(params[:comment])
|
||||
format.html { redirect_to @comment, notice: 'Comment was successfully updated.' }
|
||||
format.json { head :no_content }
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
|
||||
if @comment.update_attributes(params[:comment])
|
||||
flash[:notice] = "Comment updated!"
|
||||
redirect_to @comment.blogpost
|
||||
else
|
||||
flash[:alert] = "There was a problem while updating your comment"
|
||||
redirect_to session[:return_to]
|
||||
session.delete(:redirect_to)
|
||||
end
|
||||
else
|
||||
format.html { render action: "edit" }
|
||||
format.json { render json: @comment.errors, status: :unprocessable_entity }
|
||||
flash[:alert] = "You are not allowed to edit this comment"
|
||||
redirect_to blogpost_path(params[:blogpost_id])
|
||||
end
|
||||
end
|
||||
|
||||
# DELETE /comments/1
|
||||
# DELETE /comments/1.json
|
||||
def destroy
|
||||
@comment = Comment.find(params[:id])
|
||||
@comment.destroy
|
||||
|
||||
respond_to do |format|
|
||||
format.html { redirect_to comments_url }
|
||||
format.json { head :no_content }
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
|
||||
if @comment.destroy
|
||||
flash[:notice] = "Comment deleted!"
|
||||
else
|
||||
flash[:alert] = "There was a problem while deleting this comment"
|
||||
end
|
||||
else
|
||||
flash[:alert] = "You are not allowed to delete this comment"
|
||||
end
|
||||
redirect_to @comment.blogpost
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -1,12 +1,9 @@
|
||||
class UsersController < ApplicationController
|
||||
# GET /users
|
||||
# GET /users.json
|
||||
|
||||
def index
|
||||
@users = User.all
|
||||
end
|
||||
|
||||
# GET /users/1
|
||||
# GET /users/1.json
|
||||
def show
|
||||
@user = User.find(params[:id])
|
||||
end
|
||||
@@ -27,7 +24,7 @@ class UsersController < ApplicationController
|
||||
if current_user && (current_user.id = params[:id] || current_user.rank >= rank_to_int("mod"))
|
||||
@user = User.find(params[:id])
|
||||
else
|
||||
flash[:alert] = "You are not allwoed to edit this user"
|
||||
flash[:alert] = "You are not allowed to edit this user"
|
||||
redirect_to user_path(params[:id])
|
||||
end
|
||||
end
|
||||
@@ -36,9 +33,11 @@ class UsersController < ApplicationController
|
||||
# POST /users.json
|
||||
def create
|
||||
@user = User.new(params[:user])
|
||||
@user.last_ip = request.remote_ip
|
||||
if @user.save
|
||||
redirect_to @user, notice: 'User was successfully created.'
|
||||
else
|
||||
flash[:alert] = "Something went wrong"
|
||||
render action: "new"
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user