From db081f1f3b6bf09b9ad5110b28acd8c3c444aeac Mon Sep 17 00:00:00 2001
From: jingquan huang <huang.jingquan@163.com>
Date: Sat, 22 Jun 2019 10:47:40 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=9E=E8=AE=AD=E6=9D=83=E9=99=90=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/shixuns_controller.rb |  3 +--
 app/models/user.rb                    | 17 +++++++++++------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/controllers/shixuns_controller.rb b/app/controllers/shixuns_controller.rb
index 499bd0aa4..165b570fc 100644
--- a/app/controllers/shixuns_controller.rb
+++ b/app/controllers/shixuns_controller.rb
@@ -1,6 +1,6 @@
 class ShixunsController < ApplicationController
 	# before_action :require_login, except: [:download_file, :index, :menus]
-	# before_action :check_auth, except: [:download_file, :index]
+	before_action :check_auth, except: [:download_file, :index]
 
 	before_action :find_shixun, except: [:index, :new, :create, :menus, :get_recommend_shixuns, :propaedeutics,
 																			 :departments, :apply_shixun_mirror, :get_mirror_script, :download_file]
@@ -710,7 +710,6 @@ private
 
 	def find_shixun
 		@shixun = Shixun.find_by_identifier(params[:identifier])
-		shixun = Shixun.where(identifier: params[:identifier]).first
 		if @shixun.blank?
 			normal_status(404, "...")
 			return
diff --git a/app/models/user.rb b/app/models/user.rb
index ece69dc02..a877b2b90 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -386,13 +386,18 @@ class User < ApplicationRecord
   end
 
   # 用户是否有权限查看实训
+  # 1、实训删除只有管理员能看到
+  # 2、实训隐藏了只有管理员、实训合作者能看到
+  # 3、如果有限制学校范围，则学校的用户、管理员、实训合作者能看到
   def shixun_permission(shixun)
-    # 性能优化：先处理不需要权限的实训（已发布并且没有单位权限限制的实训）
-    return false if shixun.status != 2 || shixun.hidden # 隐藏或者未发布的实训：false
-    return true if shixun.use_scope == 0 # 对所有学校公开
-    return true if shixun.use_scope == 1 && (manager_of_shixun?(shixun) || shixun.shixun_schools.exists?(school_id: school_id)) # 对部分高校公开
-    # return true if manager_of_shixun?(shixun) # 实训管理员
-    return false
+    case status
+    when -1 # 软删除只有管理员能访问
+      admin?
+    when 0, 1, 3 # 申请发布或者已关闭的实训，只有实训管理员可以访问
+      manager_of_shixun?(shixun)
+    when 2
+      shixun.use_scope == 0 || (manager_of_shixun?(shixun) || shixun.shixun_schools.exists?(school_id: school_id))
+    end
   end
 
   # 用户在平台名称的显示方式