Display cost objects tab only if the user has the rights to see them. (refs #16658)

git-svn-id: https://dev.finn.de/svn/cockpit/trunk@1142 7926756e-e54e-46e6-9721-ed318f58905e
15 years ago · 0bd6a616c6
parent b54b6906d3
commit 0bd6a616c6
1 changed files with 9 additions and 5 deletions
--- a/app/controllers/cost_objects_controller.rb
+++ b/app/controllers/cost_objects_controller.rb
@ -10,13 +10,15 @@ class CostObjectsController < ApplicationController
  before_filter :find_optional_project, :only => [:index]

  before_filter :authorize, :except => [
-    # authorization in find_optional_project
    :index,
+    
    # unrestricted actions
    :preview, :context_menu,
    :update_material_budget_item, :update_labor_budget_item
    ]
  
+  before_filter :authorize, :only => :index, :if => @project
+  
  verify :method => :post, :only => [:bulk_edit, :destroy],
         :redirect_to => { :action => :index }
  
@ -229,10 +231,12 @@ private
  end
  
  def find_optional_project
-    @project = Project.find(params[:project_id]) unless params[:project_id].blank?
-
-    allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true)
-    allowed ? true : deny_access
+    if params[:project_id]
+      @project = Project.find(params[:project_id])
+    else
+      allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, nil, :global => true)
+      allowed ? true : deny_access
+    end
  rescue ActiveRecord::RecordNotFound
    render_404
  end