作业增加成员、删除成员增加权限控制

2014-06-11 17:34:57 +08:00 · 2014-06-11 17:34:57 +08:00 · 19fc84afee
parent 43736ba8d6
commit 19fc84afee
1 changed files with 35 additions and 28 deletions
--- a/app/controllers/homework_attach_controller.rb
+++ b/app/controllers/homework_attach_controller.rb
@ -2,7 +2,7 @@ class HomeworkAttachController < ApplicationController
  ###############################
  #判断当前角色权限时需先找到当前操作的project
  before_filter :find_project_by_bid_id, :only => [:new]
-  before_filter :find_project_by_hoemwork_id, :only => [:edit,:update,:destroy]
+  before_filter :find_project_by_hoemwork_id, :only => [:edit,:update,:destroy,:show,:add_homework_users,:destory_homework_users]
  #判断当前角色是否有操作权限
  #勿删 before_filter :authorize, :only => [:new,:edit,:update,:destroy]

@ -28,36 +28,43 @@ class HomeworkAttachController < ApplicationController

  #作业添加成员（参与人员）
  def add_homework_users
-    @homework = HomeworkAttach.find(params[:id])
-
-    if params[:membership]
-      if params[:membership][:user_ids]
-        attrs = params[:membership].dup
-        user_ids = attrs.delete(:user_ids)
-        user_ids.each do |user_id|
-          @homework.homework_users.build(:user_id => user_id)
+    if User.current.admin? || User.current == @homework.user
+      #@homework = HomeworkAttach.find(params[:id])
+      if params[:membership]
+        if params[:membership][:user_ids]
+          attrs = params[:membership].dup
+          user_ids = attrs.delete(:user_ids)
+          user_ids.each do |user_id|
+            @homework.homework_users.build(:user_id => user_id)
+          end
        end
      end
-    end
-    @homework.save
-    @hoemwork_users = users_for_homework(@homework)
-    @members = members_for_homework(@homework,@hoemwork_users,params[:q])
-    @members = paginateHelper @members,10
-    respond_to do |format|
-      format.js
+      @homework.save
+      @hoemwork_users = users_for_homework(@homework)
+      @members = members_for_homework(@homework,@hoemwork_users,params[:q])
+      @members = paginateHelper @members,10
+      respond_to do |format|
+        format.js
+      end
+    else
+      render_403 :message => :notice_not_authorized
    end
  end

  #作业删除成员（参与人员）
  def destory_homework_users
-    @homework = HomeworkAttach.find(params[:id])
-    homework_user = @homework.homework_users.where("user_id = #{params[:user_id]}").first
-    homework_user.destroy
-    @hoemwork_users = users_for_homework(@homework)
-    @members = members_for_homework(@homework,@hoemwork_users,params[:q])
-    @members = paginateHelper @members,10
-    respond_to do |format|
-      format.js
+    #@homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current == @homework.user
+      homework_user = @homework.homework_users.where("user_id = #{params[:user_id]}").first
+      homework_user.destroy
+      @hoemwork_users = users_for_homework(@homework)
+      @members = members_for_homework(@homework,@hoemwork_users,params[:q])
+      @members = paginateHelper @members,10
+      respond_to do |format|
+        format.js
+      end
+    else
+      render_403 :message => :notice_not_authorized
    end
  end

@ -155,7 +162,7 @@ class HomeworkAttachController < ApplicationController
  end

  def edit
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
      #@members = @homework.bid.courses.first.members.joins(:member_roles).where("member_roles.role_id IN (:role_id)", {:role_id => [5, 10]})
      @hoemwork_users = users_for_homework(@homework)
@ -167,7 +174,7 @@ class HomeworkAttachController < ApplicationController
  end

  def update
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
    course = @homework.bid.courses.first
    if User.current.admin? || User.current.member_of?(course)
      name = params[:homework_name]
@ -190,7 +197,7 @@ class HomeworkAttachController < ApplicationController
  end

  def destroy
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
      if @homework.destroy
        respond_to do |format|
@ -206,7 +213,7 @@ class HomeworkAttachController < ApplicationController

  #显示作业信息
  def show
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
      # 打分统计
      stars_reates = @homework.