Merge branch 'dev_aliyun' of https://bdgit.educoder.net/Hjqreturn/educoder into dev_aliyun

app/controllers/application_controller.rb

@@ -232,6 +232,14 @@ class ApplicationController < ActionController::Base
 			User.current = User.find 12
 		end
 
+		if params[:debug] == 'teacher' #todo 为了测试,记得讲debug删除
+			User.current = User.find 81403
+		elsif params[:debug] == 'student'
+			User.current = User.find 8686
+		elsif params[:debug] == 'admin'
+			User.current = User.find 1
+		end
+
 		# User.current = User.find 81403
 	end
 

app/controllers/attachments_controller.rb

@@ -2,7 +2,7 @@
 #
 #  文件上传
 class AttachmentsController < ApplicationController
-  before_action :require_login, :check_auth
+  before_action :require_login, :check_auth, except: [:show]
   before_action :find_file, only: %i[show destroy]
 
   include ApplicationHelper
@@ -10,6 +10,8 @@ class AttachmentsController < ApplicationController
   def show
     # 1. 优先跳到cdn
     # 2. 如果没有cdn，send_file
+    candown = attachment_candown @file
+    tip_exception("您没有权限下载该附件") if !candown
     if @file.cloud_url.present?
       update_downloads(@file)
       redirect_to @file.cloud_url and return
@@ -157,4 +159,33 @@ class AttachmentsController < ApplicationController
     end
     edu_setting('public_cdn_host') + "/" + path
   end
+
+  def attachment_candown attachment
+    return true if current_user.admin? || current_user.business?
+    candown = false
+    if attachment.container && current_user.logged?
+      # 课堂资源、作业、毕设相关资源的权限判断
+      if attachment.container.is_a?(Course)
+        course = attachment.container
+        candown = current_user.member_of_course?(course) || attachment.is_public == 1
+      elsif attachment.container.is_a?(HomeworkCommon) || attachment.container.is_a?(GraduationTask) || attachment.container.is_a?(GraduationTopic)
+        course = attachment.container&.course
+      elsif attachment.container.is_a?(StudentWork)
+        course = attachment.container&.homework_common&.course
+      elsif attachment.container.is_a?(StudentWorksScore)
+        course = attachment.container&.student_work&.homework_common&.course
+      elsif attachment.container.is_a?(GraduationWork)
+        course = attachment.container&.graduation_task&.course
+      elsif attachment.container.is_a?(GraduationWorkScore)
+        course = attachment.container&.graduation_work&.graduation_task&.course
+      else
+        candown = true
+      end
+
+      candown = !candown && course.present? ? current_user.member_of_course?(course) : candown
+    else
+      candown = true
+    end
+    candown
+  end
 end

app/controllers/courses_controller.rb

@@ -29,10 +29,10 @@ class CoursesController < ApplicationController
                                          :transfer_to_course_group, :delete_from_course,
                                          :search_users, :add_students_by_search, :get_historical_courses, :add_teacher_popup, :add_teacher]
   before_action :admin_allowed, only: [:set_invite_code_halt, :set_public_or_private, :change_course_admin,
-                                       :set_course_group, :delete_course_teacher, :create_group_by_importing_file]
+                                       :set_course_group, :create_group_by_importing_file]
   before_action :teacher_or_admin_allowed, only: [:graduation_group_list, :create_graduation_group, :join_graduation_group,
                                                   :change_course_teacher, :export_member_scores_excel, :course_group_list,
-                                                  :teacher_application_review, :apply_teachers]
+                                                  :teacher_application_review, :apply_teachers, :delete_course_teacher]
   before_action :validate_course_name, only: [:create, :update]
   before_action :find_board, only: :board_list
   before_action :validate_page_size, only: :mine

app/models/user.rb

@@ -250,7 +250,7 @@ class User < ApplicationRecord
 
   # 课堂成员
   def member_of_course?(course)
-    course.course_members.exists?(user_id: id)
+    course&.course_members.exists?(user_id: id)
   end
 
   # 实训路径管理员：创建者或admin