security, user index
This commit is contained in:
jomo
@@ -10,20 +10,26 @@ class BlogpostsController < ApplicationController
|
||||
end
|
||||
|
||||
def new
|
||||
@post = Blogpost.new
|
||||
if current_user && current_user.rank >= rank_to_int("mod")
|
||||
@post = Blogpost.new
|
||||
else
|
||||
flash[:alert] = "You are not allowed to create a new post!"
|
||||
redirect_to blogposts_path
|
||||
end
|
||||
end
|
||||
|
||||
# GET /blogposts/1/edit
|
||||
def edit
|
||||
@post = Blogpost.find(params[:id])
|
||||
@post = Blogpost.find(params[:id])
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @edit.user))
|
||||
else
|
||||
flash[:alert] = "You are not allowed to update this post!"
|
||||
end
|
||||
end
|
||||
|
||||
# POST /blogposts
|
||||
# POST /blogposts.json
|
||||
def create
|
||||
if current_user && current_user.rank >= rank_to_int("mod")
|
||||
@post = Blogpost.new(params[:blogpost])
|
||||
@post.user_id = current_user.id unless current_user.nil?
|
||||
@post.user = current_user
|
||||
if @post.save
|
||||
redirect_to @post, notice: 'Post has been created.'
|
||||
else
|
||||
@@ -35,24 +41,29 @@ class BlogpostsController < ApplicationController
|
||||
end
|
||||
end
|
||||
|
||||
# PUT /blogposts/1
|
||||
# PUT /blogposts/1.json
|
||||
def update
|
||||
@post = Blogpost.find(params[:id])
|
||||
|
||||
if @post.update_attributes(params[:blogpost])
|
||||
redirect_to @post, notice: 'Post has been updated.'
|
||||
else
|
||||
render action: "edit"
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
|
||||
if @post.update_attributes(params[:blogpost])
|
||||
redirect_to @post, notice: 'Post has been updated.'
|
||||
else
|
||||
flash[:alert] = "There was a problem while updating the post"
|
||||
render action: "edit"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# DELETE /blogposts/1
|
||||
# DELETE /blogposts/1.json
|
||||
def destroy
|
||||
@post = Blogpost.find(params[:id])
|
||||
@post.destroy
|
||||
|
||||
redirect_to blog_url
|
||||
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
|
||||
if @post.destroy
|
||||
flash[:notice] = "Post deleted!"
|
||||
else
|
||||
flash[:alert] = "There was a problem while deleting this Post"
|
||||
end
|
||||
else
|
||||
flash[:alert] = "You are not allowed to delete this Post"
|
||||
end
|
||||
redirect_to blogpots_path
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user