解决私有组织栏目通过url能访问的问题

app/controllers/files_controller.rb

@@ -406,10 +406,14 @@ class FilesController < ApplicationController
       @container_type = 2
       @containers = [ OrgSubfield.includes(:attachments).reorder(sort).find(@org_subfield.id)]
       @organization = Organization.find(@containers.first.organization_id)
-      show_attachments @containers
-      @tag_list = attachment_tag_list @all_attachments
-      @page = params[:page] || 1
-      render :layout => 'base_org'
+      if @organization.is_public? or User.current.admin? or User.current.member_of_org?(@organization)
+        show_attachments @containers
+        @tag_list = attachment_tag_list @all_attachments
+        @page = params[:page] || 1
+        render :layout => 'base_org'
+      else
+        render_403
+      end
       # @subfield = params[:org_subfield_id]
     end
 

app/controllers/org_subfields_controller.rb

@@ -33,61 +33,65 @@ class OrgSubfieldsController < ApplicationController
       domain = Secdomain.where("subname=?", request.subdomain).first
       @organization = Organization.find(domain.pid)
     end
-    @org_subfield = OrgSubfield.find_by_sql("select distinct org_subfields.* from org_subfields,"+
-        "subfield_subdomain_dirs where org_subfields.id = subfield_subdomain_dirs.org_subfield_id and "+
-        " org_subfields.organization_id=#{@organization.id} and subfield_subdomain_dirs.name='#{params[:sub_dir_name]}'").first
-    if @org_subfield.field_type == 'Post'
+    if @organization.is_public? or User.current.admin? or User.current.member_of_org?(@organization)
+      @org_subfield = OrgSubfield.find_by_sql("select distinct org_subfields.* from org_subfields,"+
+                                                  "subfield_subdomain_dirs where org_subfields.id = subfield_subdomain_dirs.org_subfield_id and "+
+                                                  " org_subfields.organization_id=#{@organization.id} and subfield_subdomain_dirs.name='#{params[:sub_dir_name]}'").first
+      if @org_subfield.field_type == 'Post'
         @org_subfield_ids = @org_subfield.org_document_comments.map(&:id) << 0
         @org_activities = OrgActivity.where("(org_act_type='OrgDocumentComment'and org_act_id in (#{@org_subfield_ids.join(",")})) || (container_type='OrgSubfield' and container_id=#{@org_subfield.id})").order('updated_at desc').page(params[:page] || 1).per(10)
         #redirect_to organization_path(@organization, :org_subfield_id => @org_subfield.id)
-    else
-      if params[:sort]
-        params[:sort].split(",").each do |sort_type|
-          order_by = sort_type.split(":")
-          case order_by[0]
-            when "filename"
-              attribute = "filename"
-            when "size"
-              attribute = "filesize"
-            when "attach_type"
-              attribute = "attachtype"
-            when "content_type"
-              attribute = "created_on"
-            when "field_file_dense"
-              attribute = "is_public"
-            when "downloads"
-              attribute = "downloads"
-            when "created_on"
-              attribute = "created_on"
-            when "quotes"
-              attribute = "quotes"
-            else
-              attribute = "created_on"
-          end
-          @sort = order_by[0]
-          @order = order_by[1]
-          if order_by.count == 1 && attribute
-            sort += "#{Attachment.table_name}.#{attribute} asc "
-            if sort_type != params[:sort].split(",").last
-              sort += ","
+      else
+        if params[:sort]
+          params[:sort].split(",").each do |sort_type|
+            order_by = sort_type.split(":")
+            case order_by[0]
+              when "filename"
+                attribute = "filename"
+              when "size"
+                attribute = "filesize"
+              when "attach_type"
+                attribute = "attachtype"
+              when "content_type"
+                attribute = "created_on"
+              when "field_file_dense"
+                attribute = "is_public"
+              when "downloads"
+                attribute = "downloads"
+              when "created_on"
+                attribute = "created_on"
+              when "quotes"
+                attribute = "quotes"
+              else
+                attribute = "created_on"
             end
-          elsif order_by.count == 2 && order_by[1]
-            sort += "#{Attachment.table_name}.#{attribute} #{order_by[1]} "
-            if sort_type != params[:sort].split(",").last
-              sort += ","
+            @sort = order_by[0]
+            @order = order_by[1]
+            if order_by.count == 1 && attribute
+              sort += "#{Attachment.table_name}.#{attribute} asc "
+              if sort_type != params[:sort].split(",").last
+                sort += ","
+              end
+            elsif order_by.count == 2 && order_by[1]
+              sort += "#{Attachment.table_name}.#{attribute} #{order_by[1]} "
+              if sort_type != params[:sort].split(",").last
+                sort += ","
+              end
             end
           end
+        else
+          sort = "#{Attachment.table_name}.created_on desc"
         end
-      else
-        sort = "#{Attachment.table_name}.created_on desc"
+        @container_type = 2
+        @containers = [OrgSubfield.includes(:attachments).reorder(sort).find(@org_subfield.id)]
+        @organization = Organization.find(@containers.first.organization_id)
+        show_attachments @containers
+        @tag_list = attachment_tag_list @all_attachments
       end
-      @container_type = 2
-      @containers = [ OrgSubfield.includes(:attachments).reorder(sort).find(@org_subfield.id)]
-      @organization = Organization.find(@containers.first.organization_id)
-      show_attachments @containers
-      @tag_list = attachment_tag_list @all_attachments
+      @page = params[:page] || 1
+    else
+      render_403
     end
-    @page = params[:page] || 1
     #render :layout => 'base_org'
   end