diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 4a9220939..afe2129a9 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -23,6 +23,13 @@ class ApplicationController < ActionController::Base EduSetting.get(name) end + # 实训的访问权限 + def shixun_access_allowed + if !current_user.shixun_permission(@shixun) + tip_exception(403, "..") + end + end + def user_course_identity @user_course_identity = current_user.course_identity(@course) if @user_course_identity > Course::STUDENT && @course.is_public == 0 diff --git a/app/controllers/challenges_controller.rb b/app/controllers/challenges_controller.rb index b821929d6..8550c20ce 100644 --- a/app/controllers/challenges_controller.rb +++ b/app/controllers/challenges_controller.rb @@ -5,8 +5,10 @@ class ChallengesController < ApplicationController before_action :find_challenge, only: [:edit, :show, :update, :create_choose_question, :index_down, :index_up, :edit_choose_question, :show_choose_question, :destroy_challenge_choose, :update_choose_question, :destroy, :crud_answer, :answer] - # 权限控制 - before_action :allowed, except: [:index] + # 关卡更新和操作的权限控制 + before_action :update_allowed, except: [:index] + # 关卡访问的权限控制 + before_action :shixun_access_allowed include ShixunsHelper include ChallengesHelper @@ -279,6 +281,9 @@ class ChallengesController < ApplicationController def find_shixun @shixun = Shixun.find_by_identifier(params[:shixun_identifier]) + if !current_user.shixun_permission(@shixun) + tip_exception(403, "..") + end end # 通用接口 @@ -298,7 +303,7 @@ class ChallengesController < ApplicationController :standard_answer, :score, :difficult) end - def allowed + def update_allowed unless current_user.manager_of_shixun?(@shixun) raise Educoder::TipException.new(403, "..") end diff --git a/app/controllers/shixuns_controller.rb b/app/controllers/shixuns_controller.rb index 5f7c13964..0cf4fc77e 100644 --- a/app/controllers/shixuns_controller.rb +++ b/app/controllers/shixuns_controller.rb @@ -2,8 +2,9 @@ class ShixunsController < ApplicationController before_action :require_login, except: [:download_file, :index, :menus] before_action :check_auth, except: [:download_file, :index] - before_action :find_shixun, except: [:index, :new, :create, :menus, :get_recommend_shixuns, :propaedeutics, - :departments, :apply_shixun_mirror, :get_mirror_script, :download_file] + before_action :find_shixun, :shixun_access_allowed, except: [:index, :new, :create, :menus, :get_recommend_shixuns, + :propaedeutics, :departments, :apply_shixun_mirror, + :get_mirror_script, :download_file] before_action :find_repo_name, only: [:repository, :commits, :file_content, :update_file, :shixun_exec, :copy] before_action :allowed, only: [:update, :close, :update_propaedeutics, :settings, :publish, @@ -726,10 +727,6 @@ private normal_status(404, "...") return end - - if !current_user.shixun_permission(@shixun) - tip_exception(403, "..") - end end def find_repo_name