权限调整

6 years ago · bbc2c6c387
parent 8470090933
commit bbc2c6c387
6 changed files with 48 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -274,6 +274,7 @@ class ApplicationController < ActionController::Base
    true
  end

+
  def require_admin
    return unless require_login
    if !User.current.admin?
--- a/app/controllers/ec_course_supports_controller.rb
+++ b/app/controllers/ec_course_supports_controller.rb
@ -2,6 +2,8 @@
 class EcCourseSupportsController < ApplicationController
  before_filter :find_year, :except => [:edit_require_vs_course, :destroy_require_vs_course]
  skip_before_filter :verify_authenticity_token, :only => [:create, :edit_require_vs_course, :destroy_require_vs_course]
+  before_filter :require_login
+  before_filter :ec_auth

  ###############################################################################
  # 毕业要求vs课程体系
@ -216,4 +218,11 @@ class EcCourseSupportsController < ApplicationController
  def find_year
    @year = EcYear.find(params[:ec_year_id])
  end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && @year.ec_major_school.pluck(:school_id).include?(User.current.ec_school))
+      render_403
+    end
+  end
 end
--- a/app/controllers/ec_courses_controller.rb
+++ b/app/controllers/ec_courses_controller.rb
@ -3,6 +3,8 @@ class EcCoursesController < ApplicationController
  layout 'base_ec'
  before_filter :find_ec_course, :except => [:create, :get_calculation_data, :sync_all_course_data]
  before_filter :find_year, :only => [:create, :get_calculation_data]
+  before_filter :require_login
+  before_filter :ec_auth, :except => [:sync_all_course_data]
  skip_before_filter :verify_authenticity_token, :only => [:crud_targets, :crud_score_level, :sync_all_course_data, :search_courses,
                                                           :correlation_course, :delete_course]

@ -599,6 +601,13 @@ class EcCoursesController < ApplicationController
    #@is_manager = @template_major || @ec_course.ec_course_users.pluck(:user_id).include?(User.current.id)
  end

+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @ec_major_school.school_id)
+      render_403
+    end
+  end
+
  def target_list_data course_targets
    targets = []
    course_targets.each do |ct|
--- a/app/controllers/ec_major_schools_controller.rb
+++ b/app/controllers/ec_major_schools_controller.rb
@ -2,7 +2,10 @@
 class EcMajorSchoolsController < ApplicationController
  layout "base_ec"

+  before_filter :require_login
+
  before_filter :find_major_school, :except => [:get_navigation_data]
+  before_filter :ec_auth, :except => [:get_navigation_data]

  def show
    @years = @major_school.ec_years
@ -182,4 +185,11 @@ class EcMajorSchoolsController < ApplicationController
    # 管理员权限
    @major_manager = User.current.admin? || @major_school.school.ec_school_users.pluck(:user_id).include?(User.current.id) || @major_school.ec_major_school_users.pluck(:user_id).include?(User.current.id)
  end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @major_school.school_id)
+      render_403
+    end
+  end
 end
--- a/app/controllers/ec_years_controller.rb
+++ b/app/controllers/ec_years_controller.rb
@ -3,6 +3,9 @@ class EcYearsController < ApplicationController
  layout "base_ec"

  before_filter :find_major_and_year, except: [:create]
+  before_filter :require_login
+  before_filter :ec_auth
+
  #before_filter :find_year, only: [:set_calculation_value]
  skip_before_filter :verify_authenticity_token, :only => [:import_students, :set_calculation_value, :destroy_students]
  require 'simple_xlsx_reader'
@ -347,6 +350,13 @@ class EcYearsController < ApplicationController
    @template_major = User.current.admin? || @ec_major_school.school.ec_school_users.pluck(:user_id).include?(User.current.id) || @ec_major_school.ec_major_school_users.pluck(:user_id).include?(User.current.id)
  end

+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @ec_major_school.school_id)
+      render_403
+    end
+  end
+
  def find_year
    @year = EcYear.find(params[:id])
  end
--- a/app/controllers/ecs_controller.rb
+++ b/app/controllers/ecs_controller.rb
@ -1,5 +1,7 @@
 class EcsController < ApplicationController
  before_filter :find_school, :except => [:get_navigation_url]
+  before_filter :require_login
+  before_filter :ec_auth, :except => [:get_navigation_url]
  layout 'base_ec'

  def department
@ -62,4 +64,11 @@ class EcsController < ApplicationController
  def find_school
    @school = School.find(params[:school_id])
  end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @school.id)
+      render_403
+    end
+  end
 end