From 19fc84afee6a77799990a324bc53855aee4d3c8e Mon Sep 17 00:00:00 2001
From: sw <939547590@qq.com>
Date: Wed, 11 Jun 2014 17:34:57 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BD=9C=E4=B8=9A=E5=A2=9E=E5=8A=A0=E6=88=90?=
 =?UTF-8?q?=E5=91=98=E3=80=81=E5=88=A0=E9=99=A4=E6=88=90=E5=91=98=E5=A2=9E?=
 =?UTF-8?q?=E5=8A=A0=E6=9D=83=E9=99=90=E6=8E=A7=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/homework_attach_controller.rb | 63 ++++++++++---------
 1 file changed, 35 insertions(+), 28 deletions(-)

diff --git a/app/controllers/homework_attach_controller.rb b/app/controllers/homework_attach_controller.rb
index ef0e99452..09d357ebf 100644
--- a/app/controllers/homework_attach_controller.rb
+++ b/app/controllers/homework_attach_controller.rb
@@ -2,7 +2,7 @@ class HomeworkAttachController < ApplicationController
   ###############################
   #判断当前角色权限时需先找到当前操作的project
   before_filter :find_project_by_bid_id, :only => [:new]
-  before_filter :find_project_by_hoemwork_id, :only => [:edit,:update,:destroy]
+  before_filter :find_project_by_hoemwork_id, :only => [:edit,:update,:destroy,:show,:add_homework_users,:destory_homework_users]
   #判断当前角色是否有操作权限
   #勿删 before_filter :authorize, :only => [:new,:edit,:update,:destroy]
 
@@ -28,36 +28,43 @@ class HomeworkAttachController < ApplicationController
 
   #作业添加成员（参与人员）
   def add_homework_users
-    @homework = HomeworkAttach.find(params[:id])
-
-    if params[:membership]
-      if params[:membership][:user_ids]
-        attrs = params[:membership].dup
-        user_ids = attrs.delete(:user_ids)
-        user_ids.each do |user_id|
-          @homework.homework_users.build(:user_id => user_id)
+    if User.current.admin? || User.current == @homework.user
+      #@homework = HomeworkAttach.find(params[:id])
+      if params[:membership]
+        if params[:membership][:user_ids]
+          attrs = params[:membership].dup
+          user_ids = attrs.delete(:user_ids)
+          user_ids.each do |user_id|
+            @homework.homework_users.build(:user_id => user_id)
+          end
         end
       end
-    end
-    @homework.save
-    @hoemwork_users = users_for_homework(@homework)
-    @members = members_for_homework(@homework,@hoemwork_users,params[:q])
-    @members = paginateHelper @members,10
-    respond_to do |format|
-      format.js
+      @homework.save
+      @hoemwork_users = users_for_homework(@homework)
+      @members = members_for_homework(@homework,@hoemwork_users,params[:q])
+      @members = paginateHelper @members,10
+      respond_to do |format|
+        format.js
+      end
+    else
+      render_403 :message => :notice_not_authorized
     end
   end
 
   #作业删除成员（参与人员）
   def destory_homework_users
-    @homework = HomeworkAttach.find(params[:id])
-    homework_user = @homework.homework_users.where("user_id = #{params[:user_id]}").first
-    homework_user.destroy
-    @hoemwork_users = users_for_homework(@homework)
-    @members = members_for_homework(@homework,@hoemwork_users,params[:q])
-    @members = paginateHelper @members,10
-    respond_to do |format|
-      format.js
+    #@homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current == @homework.user
+      homework_user = @homework.homework_users.where("user_id = #{params[:user_id]}").first
+      homework_user.destroy
+      @hoemwork_users = users_for_homework(@homework)
+      @members = members_for_homework(@homework,@hoemwork_users,params[:q])
+      @members = paginateHelper @members,10
+      respond_to do |format|
+        format.js
+      end
+    else
+      render_403 :message => :notice_not_authorized
     end
   end
 
@@ -155,7 +162,7 @@ class HomeworkAttachController < ApplicationController
   end
 
   def edit
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
     if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       #@members = @homework.bid.courses.first.members.joins(:member_roles).where("member_roles.role_id IN (:role_id)", {:role_id => [5, 10]})
       @hoemwork_users = users_for_homework(@homework)
@@ -167,7 +174,7 @@ class HomeworkAttachController < ApplicationController
   end
 
   def update
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
     course = @homework.bid.courses.first
     if User.current.admin? || User.current.member_of?(course)
       name = params[:homework_name]
@@ -190,7 +197,7 @@ class HomeworkAttachController < ApplicationController
   end
 
   def destroy
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
     if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       if @homework.destroy
         respond_to do |format|
@@ -206,7 +213,7 @@ class HomeworkAttachController < ApplicationController
 
   #显示作业信息
   def show
-    @homework = HomeworkAttach.find(params[:id])
+    #@homework = HomeworkAttach.find(params[:id])
     if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       # 打分统计
       stars_reates = @homework.