解决私有组织栏目通过url能访问的问题

app/controllers/files_controller.rb

@@ -406,10 +406,14 @@ class FilesController < ApplicationController
       @container_type = 2
       @containers = [ OrgSubfield.includes(:attachments).reorder(sort).find(@org_subfield.id)]
       @organization = Organization.find(@containers.first.organization_id)
+      if @organization.is_public? or User.current.admin? or User.current.member_of_org?(@organization)
         show_attachments @containers
         @tag_list = attachment_tag_list @all_attachments
         @page = params[:page] || 1
         render :layout => 'base_org'
+      else
+        render_403
+      end
       # @subfield = params[:org_subfield_id]
     end
 

app/controllers/org_subfields_controller.rb

@@ -33,6 +33,7 @@ class OrgSubfieldsController < ApplicationController
       domain = Secdomain.where("subname=?", request.subdomain).first
       @organization = Organization.find(domain.pid)
     end
+    if @organization.is_public? or User.current.admin? or User.current.member_of_org?(@organization)
       @org_subfield = OrgSubfield.find_by_sql("select distinct org_subfields.* from org_subfields,"+
                                                   "subfield_subdomain_dirs where org_subfields.id = subfield_subdomain_dirs.org_subfield_id and "+
                                                   " org_subfields.organization_id=#{@organization.id} and subfield_subdomain_dirs.name='#{params[:sub_dir_name]}'").first
@@ -88,6 +89,9 @@ class OrgSubfieldsController < ApplicationController
         @tag_list = attachment_tag_list @all_attachments
       end
       @page = params[:page] || 1
+    else
+      render_403
+    end
     #render :layout => 'base_org'
   end