Merge remote-tracking branch 'origin/dev_aliyun' into dev_aliyun

5 years ago · 0ee1d9a9f4
parent c4efa0df80 6d394bf72e
commit 0ee1d9a9f4
2 changed files with 6 additions and 4 deletions
--- a/app/controllers/examination_banks_controller.rb
+++ b/app/controllers/examination_banks_controller.rb
@ -3,7 +3,7 @@ class ExaminationBanksController < ApplicationController
  before_action :require_login
  before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public, :revoke_item, :cancel_items]
  before_action :find_exam, except: [:index, :create, :cancel_items]
-  before_action :edit_auth, only: [:update, :destroy, :set_public, :revoke_item, :cancel_items]
+  before_action :edit_auth, only: [:update, :set_public, :revoke_item, :cancel_items]
  before_action :identity_auth, only: [:index]

  def index
@ -52,6 +52,7 @@ class ExaminationBanksController < ApplicationController
  end

  def destroy
+    tip_exception(403, "无权限") unless current_user.admin? || @item.user == current_user
    ActiveRecord::Base.transaction do
      ApplyAction.where(container_type: "ExaminationBank", container_id: @exam.id).destroy_all
      @exam.destroy!
@ -92,6 +93,6 @@ class ExaminationBanksController < ApplicationController
  end

  def edit_auth
-    current_user.admin_or_business? || @exam.user == current_user
+    tip_exception(403, "无权限") unless current_user.admin_or_business? || @exam.user == current_user
  end
 end
--- a/app/controllers/item_banks_controller.rb
+++ b/app/controllers/item_banks_controller.rb
@ -3,7 +3,7 @@ class ItemBanksController < ApplicationController
  before_action :require_login
  before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public]
  before_action :find_item, except: [:index, :create]
-  before_action :edit_auth, only: [:update, :destroy, :set_public]
+  before_action :edit_auth, only: [:update, :set_public]
  before_action :identity_auth, only: [:index]

  def index
@ -41,6 +41,7 @@ class ItemBanksController < ApplicationController
  end

  def destroy
+    tip_exception(403, "无权限") unless current_user.admin? || @item.user == current_user
    ActiveRecord::Base.transaction do
      ApplyAction.where(container_type: "ItemBank", container_id: @item.id).destroy_all
      if @item.item_type == "PROGRAM"
@ -67,7 +68,7 @@ class ItemBanksController < ApplicationController
  end

  def edit_auth
-    current_user.admin_or_business? || @item.user == current_user
+    tip_exception(403, "无权限") unless current_user.admin_or_business? || @item.user == current_user
  end

  def form_params