diff --git a/Gemfile.lock b/Gemfile.lock
index d981efe..6ef5a6b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -221,6 +221,8 @@
pundit (1.1.0)
activesupport (>= 3.0.0)
rack (1.6.4)
+ rack-mini-profiler (0.10.1)
+ rack (>= 1.2.0)
rack-test (0.6.3)
rack (>= 1.0)
rails (4.2.7)
@@ -345,6 +347,7 @@
omniauth-shibboleth
protected_attributes
pundit
+ rack-mini-profiler
rack-test
rails (= 4.2.7)
railties
diff --git a/app/controllers/answers_controller.rb b/app/controllers/answers_controller.rb
index 15703bc..e157e76 100644
--- a/app/controllers/answers_controller.rb
+++ b/app/controllers/answers_controller.rb
@@ -1,43 +1,37 @@
class AnswersController < ApplicationController
+ after_action :verify_authorized
# POST /answers
- # POST /answers.json
def create
@answer = Answer.new(params[:answer])
- if (user_signed_in?) && @answer.plan.editable_by(current_user.id) then
- old_answer = @answer.plan.answer(@answer.question_id, false)
- proceed = false
- @answer.text = params["answer-text-#{@answer.question_id}".to_sym]
- if (old_answer.nil? && @answer.text != "") || ((!old_answer.nil?) && (old_answer.text != @answer.text)) then
+ authorize @answer
+ old_answer = @answer.plan.answer(@answer.question_id, false)
+ proceed = false
+ @answer.text = params["answer-text-#{@answer.question_id}".to_sym]
+ if (old_answer.nil? && @answer.text != "") || ((!old_answer.nil?) && (old_answer.text != @answer.text)) then
+ proceed = true
+ end
+
+ if (@answer.question.question_format.title == I18n.t("helpers.checkbox") ||
+ @answer.question.question_format.title == I18n.t("helpers.multi_select_box") ||
+ @answer.question.question_format.title == I18n.t("helpers.radio_buttons") ||
+ @answer.question.question_format.title == I18n.t("helpers.dropdown")) then
+ if (old_answer.nil? && @answer.option_ids.count > 0) || ((!old_answer.nil?) && (old_answer.option_ids - @answer.option_ids).count != 0 && (@answer.option_ids - old_answer.option_ids).count != 0) then
proceed = true
end
-
- if (@answer.question.question_format.title == I18n.t("helpers.checkbox") ||
- @answer.question.question_format.title == I18n.t("helpers.multi_select_box") ||
- @answer.question.question_format.title == I18n.t("helpers.radio_buttons") ||
- @answer.question.question_format.title == I18n.t("helpers.dropdown")) then
- if (old_answer.nil? && @answer.option_ids.count > 0) || ((!old_answer.nil?) && (old_answer.option_ids - @answer.option_ids).count != 0 && (@answer.option_ids - old_answer.option_ids).count != 0) then
- proceed = true
- end
- end
- if proceed
- respond_to do |format|
- if @answer.save
- format.html { redirect_to :back, status: :found, notice: I18n.t('helpers.project.answer_recorded') }
- format.json { render json: @answer, status: :created, location: @answer }
- else
- format.html { redirect_to :back, notice: I18n.t('helpers.project.answer_error') }
- format.json { render json: @answer.errors, status: :unprocessable_entity }
- end
- end
- else
- respond_to do |format|
- format.html { redirect_to :back, notice: I18n.t('helpers.project.answer_no_change') }
- format.json { render json: @answer.errors, status: :unprocessable_entity }
+ end
+ if proceed
+ respond_to do |format|
+ if @answer.save
+ format.html { redirect_to :back, status: :found, notice: I18n.t('helpers.project.answer_recorded') }
+ else
+ format.html { redirect_to :back, notice: I18n.t('helpers.project.answer_error') }
end
end
else
- render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
+ respond_to do |format|
+ format.html { redirect_to :back, notice: I18n.t('helpers.project.answer_no_change') }
+ end
end
- end
+ end
end
\ No newline at end of file
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 5eb574e..005e288 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,7 +3,6 @@
include GlobalHelpers
include Pundit
-
helper_method GlobalHelpers.instance_methods
# Override build_footer method in ActiveAdmin::Views::Pages
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 6d1ce7c..87838cb 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,69 +1,39 @@
class CommentsController < ApplicationController
- # GET /comments
- # GET /comments.json
- def index
- @comments = Comment.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @comments }
- end
- end
-
- # GET /comments/1
- # GET /comments/1.json
- def show
- @comment = Comment.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @comment }
- end
- end
-
-
- # GET /comments/1/edit
- def edit
- @comment = Comment.find(params[:id])
- end
+ after_action :verify_authorized
# POST /comments
- # POST /comments.json
def create
- if user_signed_in? then
- @comment = Comment.new(params[:new_comment])
- @comment.text = params["#{params[:new_comment][:question_id]}new_comment_text"]
- @comment.question_id = params[:new_comment][:question_id]
- @comment.user_id = params[:new_comment][:user_id]
- @comment.plan_id = params[:new_comment][:plan_id]
-
- @plan = Plan.find(@comment.plan_id)
- @project = Project.find(@plan.project_id)
-
- respond_to do |format|
- if @comment.save
- session[:question_id_comments] = @comment.question_id
- format.html { redirect_to edit_project_plan_path(@project, @plan), status: :found, notice: I18n.t("helpers.comments.comment_created") }
- format.json { head :no_content }
- end
- end
- end
+ @comment = Comment.new(params[:new_comment])
+ @comment.text = params["#{params[:new_comment][:question_id]}new_comment_text"]
+ @comment.question_id = params[:new_comment][:question_id]
+ @comment.user_id = params[:new_comment][:user_id]
+ @comment.plan_id = params[:new_comment][:plan_id]
+ authorize @comment
+
+ @plan = Plan.find(@comment.plan_id)
+ @project = Project.find(@plan.project_id)
+
+ respond_to do |format|
+ if @comment.save
+ session[:question_id_comments] = @comment.question_id
+ format.html { redirect_to edit_project_plan_path(@project, @plan), status: :found, notice: I18n.t("helpers.comments.comment_created") }
+ end
+ end
end
# PUT /comments/1
- # PUT /comments/1.json
def update
@comment = Comment.find(params[:comment][:id])
+ authorize @comment
@comment.text = params["#{params[:comment][:id]}_comment_text"]
-
+
@plan = Plan.find(@comment.plan_id)
@project = Project.find(@plan.project_id)
-
+
respond_to do |format|
if @comment.update_attributes(params[:comment])
session[:question_id_comments] = @comment.question_id
format.html { redirect_to edit_project_plan_path(@project, @plan), status: :found, notice: I18n.t("helpers.comments.comment_updated") }
- format.json { head :no_content }
end
end
end
@@ -72,9 +42,10 @@
# ARCHIVE /comments/1.json
def archive
@comment = Comment.find(params[:comment][:id])
+ authorize @comment
@comment.archived = true
@comment.archived_by = params[:comment][:archived_by]
-
+
@plan = Plan.find(@comment.plan_id)
@project = Project.find(@plan.project_id)
@@ -82,9 +53,9 @@
if @comment.update_attributes(params[:comment])
session[:question_id_comments] = @comment.question_id
format.html { redirect_to edit_project_plan_path(@project, @plan), status: :found, notice: I18n.t("helpers.comments.comment_removed") }
- end
+ end
end
end
-
-
+
+
end
diff --git a/app/controllers/dmptemplates_controller.rb b/app/controllers/dmptemplates_controller.rb
index 817e961..e7680a5 100644
--- a/app/controllers/dmptemplates_controller.rb
+++ b/app/controllers/dmptemplates_controller.rb
@@ -3,9 +3,9 @@
# [+Copyright:+] Digital Curation Centre and University of California Curation Center
class DmptemplatesController < ApplicationController
+ after_action :verify_authorized
# GET /dmptemplates
- # GET /dmptemplates.json
def admin_index
authorize Dmptemplate
#institutional templates
@@ -18,20 +18,17 @@
end
# GET /dmptemplates/1
- # GET /dmptemplates/1.json
def admin_template
@dmptemplate = Dmptemplate.find(params[:id])
authorize @dmptemplate
respond_to do |format|
format.html # show.html.erb
- format.json { render json: @dmptemplate }
end
end
# PUT /dmptemplates/1
- # PUT /dmptemplates/1.json
def admin_update
@dmptemplate = Dmptemplate.find(params[:id])
authorize @dmptemplate
@@ -39,28 +36,23 @@
respond_to do |format|
if @dmptemplate.update_attributes(params[:dmptemplate])
format.html { redirect_to admin_template_dmptemplate_path(params[:dmptemplate]), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @dmptemplate.errors, status: :unprocessable_entity }
end
end
end
# GET /dmptemplates/new
- # GET /dmptemplates/new.json
def admin_new
@dmptemplate = Dmptemplate.new
authorize @dmptemplate
respond_to do |format|
format.html # new.html.erb
- format.json { render json: @dmptemplate }
end
end
# POST /dmptemplates
- # POST /dmptemplates.json
def admin_create
@dmptemplate = Dmptemplate.new(params[:dmptemplate])
@dmptemplate.organisation_id = current_user.organisation.id
@@ -69,10 +61,8 @@
respond_to do |format|
if @dmptemplate.save
format.html { redirect_to admin_template_dmptemplate_path(@dmptemplate), notice: I18n.t('org_admin.templates.created_message') }
- format.json { render json: @dmptemplate, status: :created, location: @dmptemplate }
else
format.html { render action: "admin_new" }
- format.json { render json: @dmptemplate.errors, status: :unprocessable_entity }
end
end
end
@@ -80,14 +70,12 @@
# DELETE /dmptemplates/1
- # DELETE /dmptemplates/1.json
def admin_destroy
@dmptemplate = Dmptemplate.find(params[:id])
authorize @dmptemplate
@dmptemplate.destroy
respond_to do |format|
format.html { redirect_to admin_index_dmptemplate_path }
- format.json { head :no_content }
end
end
@@ -178,10 +166,8 @@
respond_to do |format|
if @phase.save
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :edit => 'true'), notice: I18n.t('org_admin.templates.created_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @phase.errors, status: :unprocessable_entity }
end
end
end
@@ -195,10 +181,8 @@
respond_to do |format|
if @phase.update_attributes(params[:phase])
format.html { redirect_to admin_phase_dmptemplate_path(@phase), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @phase.errors, status: :unprocessable_entity }
end
end
end
@@ -211,7 +195,6 @@
@phase.destroy
respond_to do |format|
format.html { redirect_to admin_template_dmptemplate_path(@dmptemplate), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
@@ -238,10 +221,8 @@
respond_to do |format|
if @version.update_attributes(params[:version])
format.html { redirect_to admin_phase_dmptemplate_path(@phase, :version_id => @version.id, :edit => 'false'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @version.errors, status: :unprocessable_entity }
end
end
end
@@ -255,10 +236,8 @@
respond_to do |format|
if @version.save
format.html { redirect_to admin_phase_dmptemplate_path(@phase, :version_id => @version.id, :edit => 'true'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @version.errors, status: :unprocessable_entity }
end
end
end
@@ -271,7 +250,6 @@
@version.destroy
respond_to do |format|
format.html { redirect_to admin_phase_dmptemplate_path(@phase), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
@@ -286,10 +264,8 @@
respond_to do |format|
if @section.save
format.html { redirect_to admin_phase_dmptemplate_path(:id => @section.version.phase_id, :version_id => @section.version_id, :section_id => @section.id, :edit => 'true'), notice: I18n.t('org_admin.templates.created_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @section.errors, status: :unprocessable_entity }
end
end
end
@@ -305,10 +281,8 @@
respond_to do |format|
if @section.update_attributes(params[:section])
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id , :edit => 'true'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @section.errors, status: :unprocessable_entity }
end
end
end
@@ -323,7 +297,6 @@
@section.destroy
respond_to do |format|
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :edit => 'true' ), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
@@ -339,10 +312,8 @@
respond_to do |format|
if @question.save
format.html { redirect_to admin_phase_dmptemplate_path(:id => @question.section.version.phase_id, :version_id => @question.section.version_id, :section_id => @question.section_id, :question_id => @question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.created_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @question.errors, status: :unprocessable_entity }
end
end
end
@@ -359,10 +330,8 @@
respond_to do |format|
if @question.update_attributes(params[:question])
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :question_id => @question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @question.errors, status: :unprocessable_entity }
end
end
end
@@ -377,7 +346,6 @@
@question.destroy
respond_to do |format|
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :edit => 'true'), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
@@ -390,10 +358,8 @@
respond_to do |format|
if @suggested_answer.save
format.html { redirect_to admin_phase_dmptemplate_path(:id => @suggested_answer.question.section.version.phase_id, :version_id => @suggested_answer.question.section.version_id, :section_id => @suggested_answer.question.section_id, :question_id => @suggested_answer.question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.created_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @suggested_answer.errors, status: :unprocessable_entity }
end
end
end
@@ -411,10 +377,8 @@
respond_to do |format|
if @suggested_answer.update_attributes(params[:suggested_answer])
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :question_id => @question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @suggested_answer.errors, status: :unprocessable_entity }
end
end
end
@@ -430,7 +394,6 @@
@suggested_answer.destroy
respond_to do |format|
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :edit => 'true'), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
@@ -447,10 +410,8 @@
respond_to do |format|
if @guidance.save
format.html { redirect_to admin_phase_dmptemplate_path(:id => @question.section.version.phase_id, :version_id => @question.section.version_id, :section_id => @question.section_id, :question_id => @question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.created_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @guidance.errors, status: :unprocessable_entity }
end
end
end
@@ -467,10 +428,8 @@
respond_to do |format|
if @question.update_attributes(params[:question])
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :question_id => @question.id, :edit => 'true'), notice: I18n.t('org_admin.templates.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "admin_phase" }
- format.json { render json: @question.errors, status: :unprocessable_entity }
end
end
end
@@ -485,7 +444,6 @@
@question.destroy
respond_to do |format|
format.html { redirect_to admin_phase_dmptemplate_path(:id => @phase.id, :version_id => @version.id, :section_id => @section.id, :edit => 'true'), notice: I18n.t('org_admin.templates.destroyed_message') }
- format.json { head :no_content }
end
end
diff --git a/app/controllers/guidance_groups_controller.rb b/app/controllers/guidance_groups_controller.rb
index 4c0c900..8b3a6d5 100644
--- a/app/controllers/guidance_groups_controller.rb
+++ b/app/controllers/guidance_groups_controller.rb
@@ -1,14 +1,12 @@
class GuidanceGroupsController < ApplicationController
-
+ after_action :verify_authorized
# GET /guidance_groups/1
- # GET /guidance_groups/1.json
def admin_show
@guidance_group = GuidanceGroup.find(params[:id])
authorize @guidance_group
respond_to do |format|
format.html
- format.json { render json: @guidance_group }
end
end
@@ -19,7 +17,6 @@
authorize @guidance_group
respond_to do |format|
format.html # new.html.erb
- format.json { render json: @guidance }
end
end
@@ -37,10 +34,8 @@
respond_to do |format|
if @guidance_group.save
format.html { redirect_to admin_index_guidance_path, notice: I18n.t('org_admin.guidance_group.created_message') }
- format.json { render json: @guidance_group, status: :created, location: @guidance_group }
else
format.html { render action: "new" }
- format.json { render json: @guidance_group.errors, status: :unprocessable_entity }
end
end
end
@@ -54,7 +49,6 @@
# PUT /guidance_groups/1
- # PUT /guidance_groups/1.json
def admin_update
@guidance_group = GuidanceGroup.find(params[:id])
authorize @guidance_group
@@ -62,10 +56,8 @@
respond_to do |format|
if @guidance_group.update_attributes(params[:guidance_group])
format.html { redirect_to admin_index_guidance_path(params[:guidance_group]), notice: I18n.t('org_admin.guidance_group.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @guidance_group.errors, status: :unprocessable_entity }
end
end
end
@@ -81,10 +73,8 @@
respond_to do |format|
if @guidance_group.update_attributes(params[:guidance_group])
format.html { redirect_to admin_index_guidance_path(params[:guidance_group]), notice: I18n.t('org_admin.guidance_group.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @guidance_group.errors, status: :unprocessable_entity }
end
end
end
@@ -98,7 +88,6 @@
@guidance_group.destroy
respond_to do |format|
format.html { redirect_to admin_index_guidance_path, notice: I18n.t('org_admin.guidance_group.destroyed_message') }
- format.json { head :no_content }
end
end
diff --git a/app/controllers/guidances_controller.rb b/app/controllers/guidances_controller.rb
index abb2c1e..87b32ca 100644
--- a/app/controllers/guidances_controller.rb
+++ b/app/controllers/guidances_controller.rb
@@ -1,24 +1,22 @@
class GuidancesController < ApplicationController
+ after_action :verify_authorized
+
# GET /guidances
- # GET /guidances.json
def admin_index
authorize Guidance
@guidances = policy_scope(Guidance)
@guidance_groups = GuidanceGroup.where('organisation_id = ?', current_user.organisation_id )
respond_to do |format|
format.html # index.html.erb
- format.json { render json: @guidances }
end
end
# GET /guidances/1
- # GET /guidances/1.json
def admin_show
@guidance = Guidance.find(params[:id])
authorize @guidance
respond_to do |format|
format.html # show.html.erb
- format.json { render json: @guidance }
end
end
@@ -139,7 +137,6 @@
end
# POST /guidances
- # POST /guidances.json
def admin_create
@guidance = Guidance.new(params[:guidance])
authorize @guidance
@@ -155,16 +152,13 @@
respond_to do |format|
if @guidance.save
format.html { redirect_to admin_show_guidance_path(@guidance), notice: I18n.t('org_admin.guidance.created_message') }
- format.json { render json: @guidance, status: :created, location: @guidance }
else
format.html { render action: "new" }
- format.json { render json: @guidance.errors, status: :unprocessable_entity }
end
end
end
# PUT /guidances/1
- # PUT /guidances/1.json
def admin_update
@guidance = Guidance.find(params[:id])
authorize @guidance
@@ -173,25 +167,21 @@
respond_to do |format|
if @guidance.update_attributes(params[:guidance])
format.html { redirect_to admin_show_guidance_path(params[:guidance]), notice: I18n.t('org_admin.guidance.updated_message') }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @guidance.errors, status: :unprocessable_entity }
end
end
end
# DELETE /guidances/1
- # DELETE /guidances/1.json
def admin_destroy
@guidance = Guidance.find(params[:id])
authorize @guidance
@guidance.destroy
respond_to do |format|
format.html { redirect_to admin_index_guidance_path }
- format.json { head :no_content }
end
end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
index 110f579..fe5a071 100644
--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@@ -1,16 +1,14 @@
class HomeController < ApplicationController
+
def index
if user_signed_in?
name = current_user.name(false)
- if name.nil? || name == "" then
+ if name.blank?
redirect_to edit_user_registration_path
else
redirect_to projects_url
end
end
end
-
- def about_us
- end
end
diff --git a/app/controllers/organisations_controller.rb b/app/controllers/organisations_controller.rb
index 16ea960..839d7c4 100644
--- a/app/controllers/organisations_controller.rb
+++ b/app/controllers/organisations_controller.rb
@@ -1,64 +1,26 @@
class OrganisationsController < ApplicationController
- # GET /organisations
- # GET /organisations.json
- def index
- @organisations = Organisation.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @organisations }
- end
- end
-
- # GET /organisations/new
- # GET /organisations/new.json
- def new
- @organisation = Organisation.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @organisation }
- end
- end
-
- # POST /organisations
- # POST /organisations.json
- def create
- @organisation = Organisation.new(params[:organisation])
- @organisation.logo = param[:organisation][:logo]
- respond_to do |format|
- if @organisation.save
- format.html { redirect_to @organisation, notice: I18n.t("admin.org_created_message") }
- format.json { render json: @organisation, status: :created, location: @organisation }
- else
- format.html { render action: "new" }
- format.json { render json: @organisation.errors, status: :unprocessable_entity }
- end
- end
- end
-
+ after_action :verify_authorized
# GET /organisations/1
- # GET /organisations/1.json
def admin_show
@organisation = Organisation.find(params[:id])
authorize @organisation
respond_to do |format|
format.html # show.html.erb
- format.json { render json: @organisation }
end
end
# GET /organisations/1/edit
def admin_edit
- @organisation = authorize Organisation.find(params[:id])
+ @organisation = Organisation.find(params[:id])
+ authorize @organisation
end
# PUT /organisations/1
- # PUT /organisations/1.json
def admin_update
- @organisation = authorize Organisation.find(params[:id])
+ @organisation = Organisation.find(params[:id])
+ authorize @organisation
@organisation.banner_text = params["org_banner_text"]
@organisation.logo = params[:organisation][:logo] if params[:organisation][:logo]
assign_params = params[:organisation].dup
@@ -67,34 +29,24 @@
respond_to do |format|
if @organisation.update_attributes(assign_params)
format.html { redirect_to admin_show_organisation_path(params[:id]), notice: I18n.t("admin.org_updated_message") }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @organisation.errors, status: :unprocessable_entity }
end
end
end
- # DELETE /organisations/1
- # DELETE /organisations/1.json
- def destroy
- @organisation = Organisation.find(params[:id])
- @organisation.destroy
-
- respond_to do |format|
- format.html { redirect_to organisations_url }
- format.json { head :no_content }
- end
- end
-
+ #TODO: see if this is used by the ajax... otherwise lock it down
def parent
@organisation = Organisation.find(params[:id])
+ authorize @organisation
parent_org = @organisation.find_by {|o| o.parent_id }
return parent_org
end
+ #TODO: see is this is used by the ajax... otherwise lock it down
def children
@organisation = Organisation.find(params[:id])
+ authorize @organisation
#if user_signed_in? then
children = {}
@organisation.children.each do |child|
@@ -108,8 +60,10 @@
# end
end
+ #TODO: see if this is used by the ajax... otherwise lock it down
def templates
@organisation = Organisation.find(params[:id])
+ authorize @organisation
#if user_signed_in? then
templates = {}
@organisation.dmptemplates.each do |template|
diff --git a/app/controllers/plans_controller.rb b/app/controllers/plans_controller.rb
index bc9b490..9a05242 100644
--- a/app/controllers/plans_controller.rb
+++ b/app/controllers/plans_controller.rb
@@ -1,12 +1,13 @@
class PlansController < ApplicationController
#Uncomment the line below in order to add authentication to this page - users without permission will not be able to add new plans
#load_and_authorize_resource
+ after_action :verify_authorized
+
# GET /plans/1/edit
def edit
@plan = Plan.find(params[:id])
-
-
+ authorize @plan
if !user_signed_in? then
respond_to do |format|
format.html { redirect_to edit_user_registration_path }
@@ -22,6 +23,7 @@
# PUT /plans/1.json
def update
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.editable_by(current_user.id) then
respond_to do |format|
if @plan.update_attributes(params[:plan])
@@ -29,7 +31,6 @@
format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @plan.errors, status: :unprocessablne_entity }
end
end
else
@@ -37,9 +38,11 @@
end
end
- # GET /status/1.json
- def status
+ # GET /status/1.json
+ # only returns json, why is this here?
+ def status
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.readable_by(current_user.id) then
respond_to do |format|
format.json { render json: @plan.status }
@@ -51,6 +54,7 @@
def section_answers
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.readable_by(current_user.id) then
respond_to do |format|
format.json { render json: @plan.section_answers(params[:section_id]) }
@@ -62,6 +66,7 @@
def locked
@plan = Plan.find(params[:id])
+ authorize @plan
if !@plan.nil? && user_signed_in? && @plan.readable_by(current_user.id) then
respond_to do |format|
format.json { render json: @plan.locked(params[:section_id],current_user.id) }
@@ -73,14 +78,13 @@
def delete_recent_locks
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.editable_by(current_user.id) then
respond_to do |format|
if @plan.delete_recent_locks(current_user.id)
format.html { render action: "edit" }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @plan.errors, status: :unprocessable_entity }
end
end
else
@@ -90,14 +94,13 @@
def unlock_all_sections
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.editable_by(current_user.id) then
respond_to do |format|
if @plan.unlock_all_sections(current_user.id)
format.html { render action: "edit" }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @plan.errors, status: :unprocessable_entity }
end
end
else
@@ -107,11 +110,11 @@
def lock_section
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.editable_by(current_user.id) then
respond_to do |format|
if @plan.lock_section(params[:section_id], current_user.id)
format.html { render action: "edit" }
- format.json { head :no_content }
else
format.html { render action: "edit" }
format.json { render json: @plan.errors, status: :unprocessable_entity }
@@ -124,14 +127,14 @@
def unlock_section
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.editable_by(current_user.id) then
respond_to do |format|
if @plan.unlock_section(params[:section_id], current_user.id)
format.html { render action: "edit" }
- format.json { head :no_content }
+
else
- format.html { render action: "edit" }
- format.json { render json: @plan.errors, status: :unprocessable_entity }
+ format.html { render action: "edit" }]
end
end
else
@@ -141,6 +144,7 @@
def answer
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.readable_by(current_user.id) then
respond_to do |format|
format.json { render json: @plan.answer(params[:q_id], false).to_json(:include => :options) }
@@ -152,6 +156,7 @@
def warning
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.readable_by(current_user.id) then
respond_to do |format|
format.json { render json: @plan.warning(params[:option_id]) }
@@ -163,6 +168,7 @@
def export
@plan = Plan.find(params[:id])
+ authorize @plan
if user_signed_in? && @plan.readable_by(current_user.id) then
@exported_plan = ExportedPlan.new.tap do |ep|
diff --git a/app/controllers/project_groups_controller.rb b/app/controllers/project_groups_controller.rb
index 426b842..2d81d39 100644
--- a/app/controllers/project_groups_controller.rb
+++ b/app/controllers/project_groups_controller.rb
@@ -1,7 +1,9 @@
class ProjectGroupsController < ApplicationController
+ after_action :verify_authorized
def create
@project_group = ProjectGroup.new(params[:project_group])
+ authorize @project_group
access_level = params[:project_group][:access_level].to_i
if access_level >= 3 then
@project_group.project_administrator = true
@@ -30,15 +32,12 @@
end
flash[:notice] = message
format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug }
- format.json { render json: @project_group, status: :created, location: @project_group }
else
format.html { render action: "new" }
- format.json { render json: @project_group.errors, status: :unprocessable_entity }
end
else
flash[:notice] = I18n.t('helpers.project.enter_email')
format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug }
- format.json { render json: @project_group, status: :created, location: @project_group }
end
end
else
@@ -49,6 +48,7 @@
def update
@project_group = ProjectGroup.find(params[:id])
+ authorize @project_group
access_level = params[:project_group][:access_level].to_i
if access_level >= 3 then
@project_group.project_administrator = true
@@ -66,10 +66,8 @@
flash[:notice] = I18n.t('helpers.project.sharing_updated')
UserMailer.permissions_change_notification(@project_group).deliver
format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug }
- format.json { head :no_content }
else
format.html { render action: "edit" }
- format.json { render json: @project_group.errors, status: :unprocessable_entity }
end
end
else
@@ -79,6 +77,7 @@
def destroy
@project_group = ProjectGroup.find(params[:id])
+ authorize @project_group
if (user_signed_in?) && @project_group.project.administerable_by(current_user.id) then
user = @project_group.user
project = @project_group.project
@@ -87,7 +86,6 @@
flash[:notice] = I18n.t('helpers.project.access_removed')
UserMailer.project_access_removed_notification(user, project).deliver
format.html { redirect_to :controller => 'projects', :action => 'share', :id => @project_group.project.slug }
- format.json { head :no_content }
end
else
render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index cb50378..f01d810 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -1,9 +1,11 @@
class ProjectsController < ApplicationController
before_filter :get_plan_list_columns, only: %i( index )
+ after_action :verify_authorized
# GET /projects
# GET /projects.json
def index
+ authorize Project
## TODO: Is this A magic String? the "Show_shib_link?" as we define it and users dont see cookies
if user_signed_in? then
if (current_user.shibboleth_id.nil? || current_user.shibboleth_id.length == 0) && !cookies[:show_shib_link].nil? && cookies[:show_shib_link] == "show_shib_link" then
@@ -15,7 +17,6 @@
respond_to do |format|
format.html # index.html.erb
- format.json { render json: @projects }
end
else
respond_to do |format|
@@ -28,6 +29,7 @@
# GET /projects/1.json
def show
@project = Project.find(params[:id])
+ authorize @project
@show_form = false
if params[:show_form] == "yes" then
@show_form = true
@@ -35,7 +37,6 @@
if user_signed_in? && @project.readable_by(current_user.id) then
respond_to do |format|
format.html # show.html.erb
- format.json { render json: @project }
end
elsif user_signed_in? then
respond_to do |format|
@@ -52,7 +53,8 @@
# GET /projects/new.json
def new
if user_signed_in? then
- @project = Project.new
+ @project = Project.new
+ authorize @project
@project.organisation = current_user.organisation
@funders = orgs_of_type(constant("organisation_types.funder"), true)
@templates = get_available_templates
@@ -62,7 +64,6 @@
respond_to do |format|
format.html # new.html.erb
- format.json { render json: @project }
end
else
respond_to do |format|
@@ -75,6 +76,7 @@
# Should this be removed?
def edit
@project = Project.find(params[:id])
+ authorize @project
if !user_signed_in? then
respond_to do |format|
format.html { redirect_to edit_user_registration_path }
@@ -88,6 +90,7 @@
def share
@project = Project.find(params[:id])
+ authorize @project
if !user_signed_in? then
respond_to do |format|
format.html { redirect_to edit_user_registration_path }
@@ -101,6 +104,7 @@
def export
@project = Project.find(params[:id])
+ authorize @project
if !user_signed_in? then
respond_to do |format|
format.html { redirect_to edit_user_registration_path }
@@ -118,7 +122,7 @@
def create
if user_signed_in? then
@project = Project.new(params[:project])
-
+ authorize @project
if @project.dmptemplate.nil? && params[:project][:funder_id] != "" then # this shouldn't be necessary - see setter for funder_id in project.rb
funder = Organisation.find(params[:project][:funder_id])
if funder.dmptemplates.count == 1 then
@@ -138,10 +142,8 @@
respond_to do |format|
if @project.save
format.html { redirect_to({:action => "show", :id => @project.slug, :show_form => "yes"}, {:notice => I18n.t('helpers.project.success')}) }
- format.json { render json: @project, status: :created, location: @project }
else
format.html { render action: "new" }
- format.json { render json: @project.errors, status: :unprocessable_entity }
end
end
else
@@ -153,17 +155,15 @@
# PUT /projects/1.json
def update
@project = Project.find(params[:id])
+ authorize @project
if user_signed_in? && @project.editable_by(current_user.id) then
-
if @project.update_attributes(params[:project])
respond_to do |format|
format.html { redirect_to({:action => "show", :id => @project.slug, notice: I18n.t('helpers.project.success_update') }) }
- format.json { head :no_content }
end
else
respond_to do |format|
format.html { render action: "edit" }
- format.json { render json: @project.errors, status: :unprocessable_entity }
end
end
else
@@ -175,19 +175,21 @@
# DELETE /projects/1.json
def destroy
@project = Project.find(params[:id])
+ authorize @project
if user_signed_in? && @project.editable_by(current_user.id) then
@project.destroy
respond_to do |format|
format.html { redirect_to projects_url }
- format.json { head :no_content }
end
else
render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false)
end
end
-=begin
+ # returns to AJAX call from frontend
+ # difficult to secure as it passes through params, and dosent curate data based
+ # on what the user can "view" or is public
# GET /projects/possible_templates.json
def possible_templates
if !params[:funder].nil? && params[:funder] != "" && params[:funder] != "undefined" then
@@ -221,7 +223,11 @@
end
end
- def possible_guidance
+ # returns to AJAX call from frontend
+ # difficult to secure as it passes through params, and dosent curate data based
+ # on what the user can "view" or is public
+ def possible_guidance
+ authorize @project
if !params[:template].nil? && params[:template] != "" && params[:template] != "undefined" then
template = Dmptemplate.find(params[:template])
else
@@ -242,6 +248,7 @@
#subset guidance that belong to the institution
unless institution.nil? then
+ authorize Project
optional_gg = GuidanceGroup.where("optional_subset = ? && organisation_id = ?", true, institution.id)
optional_gg.each do|optional|
guidance_groups[optional.id] = optional.name
@@ -276,7 +283,6 @@
format.json { render json: guidance_groups.to_json }
end
end
-=end
private
def orgs_of_type(org_type_name, published_templates = false)
diff --git a/app/controllers/settings.rb b/app/controllers/settings.rb
index 443bf8a..612db61 100644
--- a/app/controllers/settings.rb
+++ b/app/controllers/settings.rb
@@ -1,7 +1,5 @@
module Settings
class SettingsController < ApplicationController
- before_filter do
- authorize! :manage_settings, current_user
- end
+
end
end
diff --git a/app/controllers/settings/plans_controller.rb b/app/controllers/settings/plans_controller.rb
index 82884e3..c9a4adb 100644
--- a/app/controllers/settings/plans_controller.rb
+++ b/app/controllers/settings/plans_controller.rb
@@ -2,17 +2,18 @@
class PlansController < SettingsController
before_filter :get_settings
+ after_action :verify_authorized
def show
+ authorize [:settings, plan]
respond_to do |format|
format.html
format.partial
- format.json { render json: settings_json }
end
end
def update
-
+ authorize [:settings, plan]
export_params = params[:export].try(:deep_symbolize_keys)
settings = plan.super_settings(:export).tap do |s|
@@ -29,7 +30,6 @@
if settings.save
respond_to do |format|
format.html { redirect_to(export_project_path(plan.project)) }
- format.json { render json: settings_json }
end
else
settings.formatting = nil
diff --git a/app/controllers/settings/projects_controller.rb b/app/controllers/settings/projects_controller.rb
index 5719f2c..5a2d48d 100644
--- a/app/controllers/settings/projects_controller.rb
+++ b/app/controllers/settings/projects_controller.rb
@@ -4,20 +4,22 @@
before_filter :get_plan_list_columns
before_filter :get_settings
+ after_action :verify_authorized
+
def show
+ authorize [:settings, Project]
respond_to do |format|
format.html
- format.json { render json: settings_json }
end
end
def update
+ authorize [:settings, Project]
columns = (params[:columns] || {})
if @settings.update_attributes(columns: columns)
respond_to do |format|
format.html { redirect_to(projects_path) }
- format.json { render json: settings_json }
end
else
render(action: :show) # Expect #show to display errors etc
diff --git a/app/controllers/themes_controller.rb b/app/controllers/themes_controller.rb
deleted file mode 100644
index 549e6b5..0000000
--- a/app/controllers/themes_controller.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-class ThemesController < ApplicationController
- # GET /themes
- # GET /themes.json
- def index
- @themes = Theme.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @themes }
- end
- end
-
- # GET /themes/1
- # GET /themes/1.json
- def show
- @theme = Theme.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @theme }
- end
- end
-
- # GET /themes/new
- # GET /themes/new.json
- def new
- @theme = Theme.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @theme }
- end
- end
-
- # GET /themes/1/edit
- def edit
- @theme = Theme.find(params[:id])
- end
-
- # POST /themes
- # POST /themes.json
- def create
- @theme = Theme.new(params[:theme])
-
- respond_to do |format|
- if @theme.save
- format.html { redirect_to @theme, notice: I18n.t('admin.theme_created') }
- format.json { render json: @theme, status: :created, location: @theme }
- else
- format.html { render action: "new" }
- format.json { render json: @theme.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /themes/1
- # PUT /themes/1.json
- def update
- @theme = Theme.find(params[:id])
-
- respond_to do |format|
- if @theme.update_attributes(params[:theme])
- format.html { redirect_to @theme, notice: I18n.t('admin.theme_updated') }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @theme.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # DELETE /themes/1
- # DELETE /themes/1.json
- def destroy
- @theme = Theme.find(params[:id])
- @theme.destroy
-
- respond_to do |format|
- format.html { redirect_to themes_url }
- format.json { head :no_content }
- end
- end
-end
diff --git a/app/controllers/user_org_roles_controller.rb b/app/controllers/user_org_roles_controller.rb
deleted file mode 100644
index c31867d..0000000
--- a/app/controllers/user_org_roles_controller.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-class UserOrgRolesController < ApplicationController
- # GET /user_org_roles
- # GET /user_org_roles.json
- def index
- @user_org_roles = UserOrgRole.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @user_org_roles }
- end
- end
-
- # GET /user_org_roles/1
- # GET /user_org_roles/1.json
- def show
- @user_org_role = UserOrgRole.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @user_org_role }
- end
- end
-
- # GET /user_org_roles/new
- # GET /user_org_roles/new.json
- def new
- @user_org_role = UserOrgRole.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @user_org_role }
- end
- end
-
- # GET /user_org_roles/1/edit
- def edit
- @user_org_role = UserOrgRole.find(params[:id])
- end
-
- # POST /user_org_roles
- # POST /user_org_roles.json
- def create
- @user_org_role = UserOrgRole.new(params[:user_org_role])
-
- respond_to do |format|
- if @user_org_role.save
- format.html { redirect_to @user_org_role, notice: I18n.t('org_admin.user_org_created') }
- format.json { render json: @user_org_role, status: :created, location: @user_org_role }
- else
- format.html { render action: "new" }
- format.json { render json: @user_org_role.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /user_org_roles/1
- # PUT /user_org_roles/1.json
- def update
- @user_org_role = UserOrgRole.find(params[:id])
-
- respond_to do |format|
- if @user_org_role.update_attributes(params[:user_org_role])
- format.html { redirect_to @user_org_role, notice: I18n.t('org_admin.user_org_updated') }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @user_org_role.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # DELETE /user_org_roles/1
- # DELETE /user_org_roles/1.json
- def destroy
- @user_org_role = UserOrgRole.find(params[:id])
- @user_org_role.destroy
-
- respond_to do |format|
- format.html { redirect_to user_org_roles_url }
- format.json { head :no_content }
- end
- end
-end
diff --git a/app/controllers/user_role_types_controller.rb b/app/controllers/user_role_types_controller.rb
deleted file mode 100644
index e45d86c..0000000
--- a/app/controllers/user_role_types_controller.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-class UserRoleTypesController < ApplicationController
- # GET /user_role_types
- # GET /user_role_types.json
- def index
- @user_role_types = UserRoleType.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @user_role_types }
- end
- end
-
- # GET /user_role_types/1
- # GET /user_role_types/1.json
- def show
- @user_role_type = UserRoleType.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @user_role_type }
- end
- end
-
- # GET /user_role_types/new
- # GET /user_role_types/new.json
- def new
- @user_role_type = UserRoleType.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @user_role_type }
- end
- end
-
- # GET /user_role_types/1/edit
- def edit
- @user_role_type = UserRoleType.find(params[:id])
- end
-
- # POST /user_role_types
- # POST /user_role_types.json
- def create
- @user_role_type = UserRoleType.new(params[:user_role_type])
-
- respond_to do |format|
- if @user_role_type.save
- format.html { redirect_to @user_role_type, notice: I18n.t('admin.user_role_type_created') }
- format.json { render json: @user_role_type, status: :created, location: @user_role_type }
- else
- format.html { render action: "new" }
- format.json { render json: @user_role_type.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /user_role_types/1
- # PUT /user_role_types/1.json
- def update
- @user_role_type = UserRoleType.find(params[:id])
-
- respond_to do |format|
- if @user_role_type.update_attributes(params[:user_role_type])
- format.html { redirect_to @user_role_type, notice: I18n.t('admin.user_role_type_updated') }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @user_role_type.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # DELETE /user_role_types/1
- # DELETE /user_role_types/1.json
- def destroy
- @user_role_type = UserRoleType.find(params[:id])
- @user_role_type.destroy
-
- respond_to do |format|
- format.html { redirect_to user_role_types_url }
- format.json { head :no_content }
- end
- end
-end
diff --git a/app/controllers/user_statuses_controller.rb b/app/controllers/user_statuses_controller.rb
deleted file mode 100644
index 0e19c5d..0000000
--- a/app/controllers/user_statuses_controller.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-class UserStatusesController < ApplicationController
- # GET /user_statuses
- # GET /user_statuses.json
- def index
- @user_statuses = UserStatus.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @user_statuses }
- end
- end
-
- # GET /user_statuses/1
- # GET /user_statuses/1.json
- def show
- @user_status = UserStatus.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @user_status }
- end
- end
-
- # GET /user_statuses/new
- # GET /user_statuses/new.json
- def new
- @user_status = UserStatus.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @user_status }
- end
- end
-
- # GET /user_statuses/1/edit
- def edit
- @user_status = UserStatus.find(params[:id])
- end
-
- # POST /user_statuses
- # POST /user_statuses.json
- def create
- @user_status = UserStatus.new(params[:user_status])
-
- respond_to do |format|
- if @user_status.save
- format.html { redirect_to @user_status, notice: I18n.t('admin.user_status_created') }
- format.json { render json: @user_status, status: :created, location: @user_status }
- else
- format.html { render action: "new" }
- format.json { render json: @user_status.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /user_statuses/1
- # PUT /user_statuses/1.json
- def update
- @user_status = UserStatus.find(params[:id])
-
- respond_to do |format|
- if @user_status.update_attributes(params[:user_status])
- format.html { redirect_to @user_status, notice: I18n.t('admin.user_status_updated') }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @user_status.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # DELETE /user_statuses/1
- # DELETE /user_statuses/1.json
- def destroy
- @user_status = UserStatus.find(params[:id])
- @user_status.destroy
-
- respond_to do |format|
- format.html { redirect_to user_statuses_url }
- format.json { head :no_content }
- end
- end
-end
diff --git a/app/controllers/user_types_controller.rb b/app/controllers/user_types_controller.rb
deleted file mode 100644
index 565bdf2..0000000
--- a/app/controllers/user_types_controller.rb
+++ /dev/null
@@ -1,83 +0,0 @@
-class UserTypesController < ApplicationController
- # GET /user_types
- # GET /user_types.json
- def index
- @user_types = UserType.all
-
- respond_to do |format|
- format.html # index.html.erb
- format.json { render json: @user_types }
- end
- end
-
- # GET /user_types/1
- # GET /user_types/1.json
- def show
- @user_type = UserType.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @user_type }
- end
- end
-
- # GET /user_types/new
- # GET /user_types/new.json
- def new
- @user_type = UserType.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @user_type }
- end
- end
-
- # GET /user_types/1/edit
- def edit
- @user_type = UserType.find(params[:id])
- end
-
- # POST /user_types
- # POST /user_types.json
- def create
- @user_type = UserType.new(params[:user_type])
-
- respond_to do |format|
- if @user_type.save
- format.html { redirect_to @user_type, notice: I18n.t('admin.user_type_updated') }
- format.json { render json: @user_type, status: :created, location: @user_type }
- else
- format.html { render action: "new" }
- format.json { render json: @user_type.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /user_types/1
- # PUT /user_types/1.json
- def update
- @user_type = UserType.find(params[:id])
-
- respond_to do |format|
- if @user_type.update_attributes(params[:user_type])
- format.html { redirect_to @user_type, notice: I18n.t('admin.user_type_updated') }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @user_type.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # DELETE /user_types/1
- # DELETE /user_types/1.json
- def destroy
- @user_type = UserType.find(params[:id])
- @user_type.destroy
-
- respond_to do |format|
- format.html { redirect_to user_types_url }
- format.json { head :no_content }
- end
- end
-end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 530bf0f..636c44a 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,83 +1,11 @@
class UsersController < ApplicationController
-
- # GET /users/1
- # GET /users/1.json
- def show
- @user = User.find(params[:id])
-
- respond_to do |format|
- format.html # show.html.erb
- format.json { render json: @user }
- end
- end
-
- # GET /users/new
- # GET /users/new.json
- def new
- @user = User.new
-
- respond_to do |format|
- format.html # new.html.erb
- format.json { render json: @user }
- end
- end
-
- # GET /users/1/edit
- def edit
- @user = User.find(params[:id])
- end
-
- # POST /users
- # POST /users.json
- def create
- @user = User.new(params[:user])
-
- respond_to do |format|
- if @user.save
- format.html { redirect_to @user, notice: I18n.t('admin.user_created') }
- format.json { render json: @user, status: :created, location: @user }
- else
- format.html { render action: "new" }
- format.json { render json: @user.errors, status: :unprocessable_entity }
- end
- end
- end
-
- # PUT /users/1
- # PUT /users/1.json
- def update
- @user = User.find(params[:id])
-
- respond_to do |format|
- if @user.update_attributes(params[:user])
- format.html { redirect_to({:controller=> "projects", :action => "new"}, {:notice => I18n.t('helpers.project.create_success') }) }
- format.json { head :no_content }
- else
- format.html { render action: "edit" }
- format.json { render json: @user.errors, status: :unprocessable_entity }
- end
- end
- end
-
-
- # DELETE /users/1
- # DELETE /users/1.json
- def destroy
- @user = User.find(params[:id])
- @user.destroy
-
- respond_to do |format|
- format.html { redirect_to users_url }
- format.json { head :no_content }
- end
- end
+ after_action :verify_authorized
def admin_index
authorize User
@users = current_user.organisation.users.includes(:roles, :project_groups)
respond_to do |format|
format.html # index.html.erb
- format.json { render json: @organisation_users }
end
end
@@ -113,7 +41,6 @@
@user.save!
respond_to do |format|
format.html { redirect_to({controller: 'users', action: 'admin_index'}, {notice: I18n.t('helpers.success')})}
- format.json { head :no_content }
end
end
diff --git a/app/policies/answer_policy.rb b/app/policies/answer_policy.rb
new file mode 100644
index 0000000..61f6989
--- /dev/null
+++ b/app/policies/answer_policy.rb
@@ -0,0 +1,15 @@
+class AnswerPolicy < ApplicationPolicy
+ attr_reader :user
+ attr_reader :answer
+
+ def initialize(user, answer)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @answer = answer
+ end
+
+ def create?
+ @answer.plan.editable_by(@user.id)
+ end
+
+end
\ No newline at end of file
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index ea84308..de9b7ba 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -9,7 +9,7 @@
end
def index?
- false
+ true
end
def show?
@@ -17,7 +17,7 @@
end
def create?
- false
+ true
end
def new?
@@ -25,7 +25,7 @@
end
def update?
- false
+ true
end
def edit?
@@ -33,7 +33,7 @@
end
def destroy?
- false
+ true
end
def scope
diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb
new file mode 100644
index 0000000..570c0a1
--- /dev/null
+++ b/app/policies/comment_policy.rb
@@ -0,0 +1,23 @@
+class CommentPolicy < ApplicationPolicy
+ attr_reader :user
+ attr_reader :comment
+
+ def initialize(user, comment)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @comment = comment
+ end
+
+ def create?
+ Plan.find(@comment.plan_id).readable_by(@user.id)
+ end
+
+ def update?
+ Plan.find(@comment.plan_id).readable_by(@user.id)
+ end
+
+ def archive?
+ Plan.find(@comment.plan_id).readable_by(@user.id)
+ end
+
+end
\ No newline at end of file
diff --git a/app/policies/dmptemplate_policy.rb b/app/policies/dmptemplate_policy.rb
index ea17c40..c2dbe91 100644
--- a/app/policies/dmptemplate_policy.rb
+++ b/app/policies/dmptemplate_policy.rb
@@ -12,11 +12,11 @@
end
def admin_template?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_update?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_new?
@@ -24,95 +24,95 @@
end
def admin_create?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroy?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_phase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_previewphase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_addphase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_createphase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updatephase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroyphase?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updateversion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_cloneversion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroyversion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_createsection?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updatesection?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroysection?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_createquestion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updatequestion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroyquestion?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_createsuggestedanswer?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updatesuggestedanswer?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroysuggestedanswer?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_createguidance?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_updateguidance?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
def admin_destroyguidance?
- user.can_modify_templates? && (dmptemplate.organisation_id == user.organisation_id)
+ user.can_modify_templates? #&& (dmptemplate.organisation_id == user.organisation_id)
end
class Scope < Scope
diff --git a/app/policies/organisation_policy.rb b/app/policies/organisation_policy.rb
index 4326458..677912c 100644
--- a/app/policies/organisation_policy.rb
+++ b/app/policies/organisation_policy.rb
@@ -19,4 +19,16 @@
user.can_modify_org_details? && (user.organisaiton_id == organisation.id)
end
+ def parent?
+ true
+ end
+
+ def children?
+ true
+ end
+
+ def templates?
+ true
+ end
+
end
\ No newline at end of file
diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb
new file mode 100644
index 0000000..2d4d08a
--- /dev/null
+++ b/app/policies/plan_policy.rb
@@ -0,0 +1,58 @@
+class PlanPolicy < ApplicationPolicy
+ attr_reader :user
+ attr_reader :plan
+
+ def initialize(user, plan)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @plan = plan
+ end
+
+ def edit?
+ @plan.editable_by(@user.id)
+ end
+
+ def export?
+ @plan.readable_by(@user.id)
+ end
+
+ def update?
+ @plan.editable_by(@user.id)
+ end
+
+ def status?
+ @plan.readable_by(@user.id)
+ end
+
+ def section_answers?
+ @plan.readable_by(@user.id)
+ end
+
+ def locked?
+ @plan.readable_by(@user.id)
+ end
+
+ def delete_recent_locks?
+ @plan.editable_by(@user.id)
+ end
+
+ def unlock_all_sections?
+ @plan.editable_by(@user.id)
+ end
+
+ def lock_section?
+ @plan.editable_by(@user.id)
+ end
+
+ def unlock_section?
+ @plan.editable_by(@user.id)
+ end
+
+ def answer?
+ @plan.readable_by(@user.id)
+ end
+
+ def warning?
+ @plan.readable_by(@user.id)
+ end
+end
\ No newline at end of file
diff --git a/app/policies/project_group_policy.rb b/app/policies/project_group_policy.rb
new file mode 100644
index 0000000..595687e
--- /dev/null
+++ b/app/policies/project_group_policy.rb
@@ -0,0 +1,22 @@
+class ProjectGroupPolicy < ApplicationPolicy
+ attr_reader :user
+ attr_reader :project_group
+
+ def initialize(user, project_group)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @project_group = project_group
+ end
+
+ def create?
+ @project_group.project.administerable_by(@user.id)
+ end
+
+ def update?
+ @project_group.project.administerable_by(@user.id)
+ end
+
+ def destroy?
+ @project_group.project.administerable_by(@user.id)
+ end
+end
\ No newline at end of file
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
new file mode 100644
index 0000000..60c76fd
--- /dev/null
+++ b/app/policies/project_policy.rb
@@ -0,0 +1,42 @@
+class ProjectPolicy < ApplicationPolicy
+ attr_reader :user
+ attr_reader :project
+
+ def initialize(user, project)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @project = project
+ end
+
+ def show?
+ @project.readable_by(@user.id)
+ end
+
+ def edit?
+ @project.editable_by(@user.id)
+ end
+
+ def share?
+ @project.editable_by(@user.id)
+ end
+
+ def export?
+ @project.readable_by(@user.id)
+ end
+
+ def update?
+ @project.editable_by(@user.id)
+ end
+
+ def destroy?
+ @project.editable_by(@user.id)
+ end
+
+ def possible_templates?
+ true
+ end
+
+ def possible_guidance?
+ true
+ end
+end
\ No newline at end of file
diff --git a/app/policies/settings/plan_policy.rb b/app/policies/settings/plan_policy.rb
new file mode 100644
index 0000000..f8bd066
--- /dev/null
+++ b/app/policies/settings/plan_policy.rb
@@ -0,0 +1,20 @@
+class Settings::PlanPolicy < ApplicationPolicy
+
+ attr_reader :user
+ attr_reader :plan
+
+ def initialize(user, plan)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @plan = plan
+ end
+
+ def show?
+ @plan.readable_by(@user.id)
+ end
+
+ def update?
+ @plan.editable_by(@user.id)
+ end
+
+end
\ No newline at end of file
diff --git a/app/policies/settings/project_policy.rb b/app/policies/settings/project_policy.rb
new file mode 100644
index 0000000..08c333f
--- /dev/null
+++ b/app/policies/settings/project_policy.rb
@@ -0,0 +1,24 @@
+class Settings::ProjectPolicy < ApplicationPolicy
+ # this is the policy for app/controllers/settings/projects_controller.rb
+
+ attr_reader :user
+ attr_reader :projects
+
+ def initialize(user, settings)
+ raise Pundit::NotAuthorizedError, "must be logged in" unless user
+ @user = user
+ @settings = settings
+ end
+
+ # for this controller, we allow all actions as the "settings" object
+ # is curated by rails based on user, not on a passed param
+
+ def show?
+ true
+ end
+
+ def update?
+ true
+ end
+
+end
\ No newline at end of file
diff --git a/app/views/dmptemplates/_show_phases_sections.html.erb b/app/views/dmptemplates/_show_phases_sections.html.erb
index 6822565..19c603a 100644
--- a/app/views/dmptemplates/_show_phases_sections.html.erb
+++ b/app/views/dmptemplates/_show_phases_sections.html.erb
@@ -53,7 +53,7 @@
<% questions.each do |ques|%>
-
- - <%= ques.text %>
+ - <%= raw ques.text %>
<%end%>
@@ -70,4 +70,4 @@
<%end%>
-
\ No newline at end of file
+
diff --git a/config/routes.rb b/config/routes.rb
index 1d59a2b..78c801a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -42,7 +42,7 @@
#post 'contact_form' => 'contacts', as: 'localized_contact_creation'
#get 'contact_form' => 'contacts#new', as: 'localized_contact_form'
- resources :organisations, :path => 'org/admin' do
+ resources :organisations, :path => 'org/admin', only: [] do
member do
get 'children'
get 'templates'
@@ -52,7 +52,7 @@
end
end
- resources :guidances, :path => 'org/admin/guidance' do
+ resources :guidances, :path => 'org/admin/guidance', only: [] do
member do
get 'admin_show'
get 'admin_index'
@@ -62,14 +62,14 @@
post 'admin_create'
put 'admin_update'
- get 'update_phases', :as => 'update_phases'
- get 'update_versions', :as => 'update_versions'
- get 'update_sections', :as => 'update_sections'
- get 'update_questions', :as => 'update_questions'
+ get 'update_phases'
+ get 'update_versions'
+ get 'update_sections'
+ get 'update_questions'
end
end
- resources :guidance_groups, :path => 'org/admin/guidancegroup' do
+ resources :guidance_groups, :path => 'org/admin/guidancegroup', only: [] do
member do
get 'admin_show'
get 'admin_new'
@@ -80,11 +80,7 @@
end
end
- #resource :organisation
-
- #resources :splash_logs
-
- resources :dmptemplates, :path => 'org/admin/templates' do
+ resources :dmptemplates, :path => 'org/admin/templates', only: [] do
member do
get 'admin_index'
get 'admin_template'
@@ -113,25 +109,16 @@
end
end
- resources :phases
- resources :versions
- resources :sections
- resources :questions
- resources :question_themes
+ resources :answers, only: :create
-
- resources :themes
-
- resources :answers
- resources :plan_sections
- resources :comments do
+ resources :comments, only: [:create, :update] do
member do
put 'archive'
end
end
resources :projects do
- resources :plans do
+ resources :plans , only: [:edit, :update] do
member do
get 'status'
get 'locked'
@@ -151,7 +138,6 @@
get 'share'
get 'export'
post 'invite'
- #post 'create'
end
collection do
get 'possible_templates'
@@ -159,26 +145,11 @@
end
end
- resources :project_partners
- resources :project_groups
-
- resources :users
- resources :user_statuses
- resources :user_types
-
- resources :user_role_types
- resources :user_org_roles
-
-
- resources :organisation_types
- resources :pages
-
- resources :file_types
- resources :file_uploads
+ resources :project_groups, only: [:create, :update, :destroy]
namespace :settings do
- resource :projects
- resources :plans
+ resource :projects, only: [:show, :update]
+ resources :plans, only: [:show, :update]
end
resources :token_permission_types, only: [:index]
@@ -199,8 +170,6 @@
end
end
- get '/api' => redirect('/swagger/dist/index.html?url=/apidocs/api-docs.json')
-
# The priority is based upon order of creation:
# first created -> highest priority.