diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 411481f0e..15f918c01 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -48,6 +48,19 @@ class ApplicationController < ActionController::Base EduSetting.get(name) end + # 平台身份权限判断(学生用户无权限) + def identity_auth + ue = current_user.user_extension + tip_exception(403, "..") unless current_user.admin_or_business? || ue.teacher? || ue.professional? + end + + # 平台已认证身份判断(已认证的老师和专业人士) + def certi_identity_auth + ue = current_user.user_extension + tip_exception(403, "..") unless current_user.admin_or_business? || + (current_user.professional_certification && (ue.teacher? || ue.professional?)) + end + def shixun_marker unless current_user.is_shixun_marker? || current_user.admin_or_business? tip_exception(403, "..") @@ -73,7 +86,7 @@ class ApplicationController < ActionController::Base check_account tip_exception(@course.excellent ? 410 : 409, "您没有权限进入") end - if @user_course_identity > Course::CREATOR && @user_course_identity <= Course::STUDENT + if @user_course_identity > Course::CREATOR && @user_course_identity <= Course::STUDENT && @course.tea_id != current_user.id # 实名认证和职业认证的身份判断 tip_exception(411, "你的实名认证和职业认证审核未通过") if @course.authentication && @course.professional_certification && (!current_user.authentication && !current_user.professional_certification) diff --git a/app/controllers/course_groups_controller.rb b/app/controllers/course_groups_controller.rb index fd59dd497..d07a1e12c 100644 --- a/app/controllers/course_groups_controller.rb +++ b/app/controllers/course_groups_controller.rb @@ -2,7 +2,7 @@ class CourseGroupsController < ApplicationController before_action :require_login, :check_auth before_action :set_group, except: [:create] before_action :find_course, only: [:create] - before_action :teacher_allowed + before_action :teacher_allowed, except: [:set_invite_code_halt] def create tip_exception("分班名称不能为空") if params[:name].blank? @@ -57,6 +57,9 @@ class CourseGroupsController < ApplicationController # 邀请码停用/启用 def set_invite_code_halt + teacher = @course.teachers.find_by(user_id: current_user.id) + tip_exception(403, "无权限") unless current_user.admin_or_business? || + (teacher.present? && (teacher.teacher_course_groups.pluck(:course_group_id).include?(@group.id) || teacher.teacher_course_groups.size == 0)) @group.update!(invite_code_halt: !@group.invite_code_halt) normal_status(0, "成功") end diff --git a/app/controllers/examination_banks_controller.rb b/app/controllers/examination_banks_controller.rb index 251cd197f..1a2f3f564 100644 --- a/app/controllers/examination_banks_controller.rb +++ b/app/controllers/examination_banks_controller.rb @@ -1,8 +1,10 @@ class ExaminationBanksController < ApplicationController include PaginateHelper before_action :require_login + before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public, :revoke_item] before_action :find_exam, except: [:index, :create] before_action :edit_auth, only: [:update, :destroy, :set_public, :revoke_item] + before_action :identity_auth, only: [:index] def index exams = ExaminationBankQuery.call(params) diff --git a/app/controllers/examination_intelligent_settings_controller.rb b/app/controllers/examination_intelligent_settings_controller.rb index 10384b7cb..8675e699e 100644 --- a/app/controllers/examination_intelligent_settings_controller.rb +++ b/app/controllers/examination_intelligent_settings_controller.rb @@ -1,5 +1,6 @@ class ExaminationIntelligentSettingsController < ApplicationController before_action :require_login + before_action :certi_identity_auth, only: [:create, :optinal_items, :save_exam, :exchange_one_item, :exchange_items] before_action :find_exam, only: [:exchange_one_item, :exchange_items, :save_exam] def optinal_items diff --git a/app/controllers/examination_items_controller.rb b/app/controllers/examination_items_controller.rb index ee7a27c59..97aac3bc6 100644 --- a/app/controllers/examination_items_controller.rb +++ b/app/controllers/examination_items_controller.rb @@ -1,5 +1,6 @@ class ExaminationItemsController < ApplicationController before_action :require_login + before_action :certi_identity_auth, only: [:create, :destroy, :delete_item_type, :set_score, :batch_set_score, :adjust_position] before_action :validate_score, only: [:set_score, :batch_set_score] before_action :find_exam, only: [:create, :batch_set_score, :delete_item_type] before_action :find_item, except: [:create, :batch_set_score, :delete_item_type] diff --git a/app/controllers/item_banks_controller.rb b/app/controllers/item_banks_controller.rb index f108c1fad..cc046d061 100644 --- a/app/controllers/item_banks_controller.rb +++ b/app/controllers/item_banks_controller.rb @@ -1,8 +1,10 @@ class ItemBanksController < ApplicationController include PaginateHelper before_action :require_login + before_action :certi_identity_auth, only: [:create, :edit, :update, :destroy, :set_public] before_action :find_item, except: [:index, :create] before_action :edit_auth, only: [:update, :destroy, :set_public] + before_action :identity_auth, only: [:index] def index items = ItemBankQuery.call(params) diff --git a/app/controllers/item_baskets_controller.rb b/app/controllers/item_baskets_controller.rb index 03355189d..b047e3d78 100644 --- a/app/controllers/item_baskets_controller.rb +++ b/app/controllers/item_baskets_controller.rb @@ -1,5 +1,6 @@ class ItemBasketsController < ApplicationController before_action :require_login + before_action :certi_identity_auth, only: [:create, :delete_item_type, :destroy, :set_score, :batch_set_score, :adjust_position] before_action :validate_score, only: [:set_score, :batch_set_score] helper_method :current_basket diff --git a/app/helpers/courses_helper.rb b/app/helpers/courses_helper.rb index 37e108a74..f0d58adbb 100644 --- a/app/helpers/courses_helper.rb +++ b/app/helpers/courses_helper.rb @@ -12,6 +12,12 @@ module CoursesHelper # end end + def edit_auth group, teachers + User.current.admin_or_business? || + teachers.select{|teacher| teacher.user_id == User.current.id && + (teacher.teacher_course_groups.pluck(:course_group_id).include?(group.id) || teacher.teacher_course_groups.size == 0)}.size > 0 + end + # 是否有切换为学生的入口 def switch_student_role is_teacher, course, user is_teacher && course.course_members.where(user_id: user.id, role: %i(STUDENT)).exists? diff --git a/app/views/courses/course_groups.json.jbuilder b/app/views/courses/course_groups.json.jbuilder index 48a5922a6..0057befb6 100644 --- a/app/views/courses/course_groups.json.jbuilder +++ b/app/views/courses/course_groups.json.jbuilder @@ -1,7 +1,8 @@ json.course_groups @course_groups.each do |group| - json.(group, :id, :course_members_count, :name) + json.(group, :id, :course_members_count, :name, :invite_code_halt) json.invite_code group.invite_code if @user_course_identity < Course::STUDENT json.member_manager member_manager(group, @teachers) if @user_course_identity < Course::NORMAL + json.edit_auth edit_auth(group, @teachers) if @user_course_identity < Course::STUDENT end if @user_course_identity == Course::STUDENT