Merge remote-tracking branch 'origin/dev_aliyun' into dev_aliyun

app/controllers/application_controller.rb

@@ -48,6 +48,19 @@ class ApplicationController < ActionController::Base
 		EduSetting.get(name)
 	end
 
+	# 平台身份权限判断（学生用户无权限）
+	def identity_auth
+		ue = current_user.user_extension
+		tip_exception(403, "..") unless current_user.admin_or_business? || ue.teacher? || ue.professional?
+	end
+
+	# 平台已认证身份判断（已认证的老师和专业人士）
+	def certi_identity_auth
+		ue = current_user.user_extension
+		tip_exception(403, "..") unless current_user.admin_or_business? ||
+																									(current_user.professional_certification && (ue.teacher? || ue.professional?))
+	end
+
 	def shixun_marker
 		unless current_user.is_shixun_marker? || current_user.admin_or_business?
 			tip_exception(403, "..")
@@ -73,7 +86,7 @@ class ApplicationController < ActionController::Base
 			check_account
 			tip_exception(@course.excellent ? 410 : 409, "您没有权限进入")
 		end
-		if @user_course_identity > Course::CREATOR && @user_course_identity <= Course::STUDENT
+		if @user_course_identity > Course::CREATOR && @user_course_identity <= Course::STUDENT && @course.tea_id != current_user.id
 			# 实名认证和职业认证的身份判断
 			tip_exception(411, "你的实名认证和职业认证审核未通过") if @course.authentication &&
 				@course.professional_certification && (!current_user.authentication && !current_user.professional_certification)

app/controllers/course_groups_controller.rb

@@ -2,7 +2,7 @@ class CourseGroupsController < ApplicationController
   before_action :require_login, :check_auth
   before_action :set_group, except: [:create]
   before_action :find_course, only: [:create]
-  before_action :teacher_allowed
+  before_action :teacher_allowed, except: [:set_invite_code_halt]
 
   def create
     tip_exception("分班名称不能为空") if params[:name].blank?
@@ -57,6 +57,9 @@ class CourseGroupsController < ApplicationController
 
   # 邀请码停用/启用
   def set_invite_code_halt
+    teacher = @course.teachers.find_by(user_id: current_user.id)
+    tip_exception(403, "无权限") unless current_user.admin_or_business? ||
+      (teacher.present? && (teacher.teacher_course_groups.pluck(:course_group_id).include?(@group.id) || teacher.teacher_course_groups.size == 0))
     @group.update!(invite_code_halt: !@group.invite_code_halt)
     normal_status(0, "成功")
   end

app/controllers/examination_banks_controller.rb

@@ -1,8 +1,10 @@
 class ExaminationBanksController < ApplicationController
   include PaginateHelper
   before_action :require_login
+  before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public, :revoke_item]
   before_action :find_exam, except: [:index, :create]
   before_action :edit_auth, only: [:update, :destroy, :set_public, :revoke_item]
+  before_action :identity_auth, only: [:index]
 
   def index
     exams = ExaminationBankQuery.call(params)

app/controllers/examination_intelligent_settings_controller.rb

@@ -1,5 +1,6 @@
 class ExaminationIntelligentSettingsController < ApplicationController
   before_action :require_login
+  before_action :certi_identity_auth, only: [:create, :optinal_items, :save_exam, :exchange_one_item, :exchange_items]
   before_action :find_exam, only: [:exchange_one_item, :exchange_items, :save_exam]
 
   def optinal_items

app/controllers/examination_items_controller.rb

@@ -1,5 +1,6 @@
 class ExaminationItemsController < ApplicationController
   before_action :require_login
+  before_action :certi_identity_auth, only: [:create, :destroy, :delete_item_type, :set_score, :batch_set_score, :adjust_position]
   before_action :validate_score, only: [:set_score, :batch_set_score]
   before_action :find_exam, only: [:create, :batch_set_score, :delete_item_type]
   before_action :find_item, except: [:create, :batch_set_score, :delete_item_type]

app/controllers/item_banks_controller.rb

@@ -1,8 +1,10 @@
 class ItemBanksController < ApplicationController
   include PaginateHelper
   before_action :require_login
+  before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public]
   before_action :find_item, except: [:index, :create]
   before_action :edit_auth, only: [:update, :destroy, :set_public]
+  before_action :identity_auth, only: [:index]
 
   def index
     items = ItemBankQuery.call(params)

app/controllers/item_baskets_controller.rb

@@ -1,5 +1,6 @@
 class ItemBasketsController < ApplicationController
   before_action :require_login
+  before_action :certi_identity_auth, only: [:create, :delete_item_type, :destroy, :set_score, :batch_set_score, :adjust_position]
   before_action :validate_score, only: [:set_score, :batch_set_score]
   helper_method :current_basket
 

app/helpers/courses_helper.rb

@@ -12,6 +12,12 @@ module CoursesHelper
     # end
   end
 
+  def edit_auth group, teachers
+    User.current.admin_or_business? ||
+      teachers.select{|teacher| teacher.user_id == User.current.id &&
+        (teacher.teacher_course_groups.pluck(:course_group_id).include?(group.id) || teacher.teacher_course_groups.size == 0)}.size > 0
+  end
+
     # 是否有切换为学生的入口
   def switch_student_role is_teacher, course, user
     is_teacher && course.course_members.where(user_id: user.id, role: %i(STUDENT)).exists?

app/views/courses/course_groups.json.jbuilder

@@ -1,7 +1,8 @@
 json.course_groups @course_groups.each do |group|
-  json.(group, :id, :course_members_count, :name)
+  json.(group, :id, :course_members_count, :name, :invite_code_halt)
   json.invite_code group.invite_code if @user_course_identity < Course::STUDENT
   json.member_manager member_manager(group, @teachers) if @user_course_identity < Course::NORMAL
+  json.edit_auth edit_auth(group, @teachers) if @user_course_identity < Course::STUDENT
 end
 
 if @user_course_identity == Course::STUDENT