Fix permissions + cleanup

10 years ago · 231a5789e4
parent 3d264624a2
commit 231a5789e4
3 changed files with 16 additions and 6 deletions
--- a/lib/api/v3/work_packages/base_contract.rb
+++ b/lib/api/v3/work_packages/base_contract.rb
@ -97,17 +97,11 @@ module API
          @can = WorkPackagePolicy.new(user)
        end

-        validate :user_allowed_to_edit
-
        extend Reform::Form::ActiveModel::ModelValidations
        copy_validations_from WorkPackage

        private

-        def user_allowed_to_edit
-          errors.add :error_unauthorized, '' unless @can.allowed?(model, :edit)
-        end
-
        def validate_people_visible(attribute, id_attribute, list)
          id = model[id_attribute]

--- a/lib/api/v3/work_packages/create_contract.rb
+++ b/lib/api/v3/work_packages/create_contract.rb
@ -35,6 +35,16 @@ module API
        # Hence making them writable here is unproblematic.
        attribute :project_id
        attribute :author_id
+
+        validate :user_allowed_to_add
+
+        private
+
+        def user_allowed_to_add
+          unless @user.allowed_to?(:add_work_packages, model.project)
+            errors.add :error_unauthorized, ''
+          end
+        end
      end
    end
  end
--- a/lib/api/v3/work_packages/update_contract.rb
+++ b/lib/api/v3/work_packages/update_contract.rb
@ -37,8 +37,14 @@ module API

        validate :user_allowed_to_access

+        validate :user_allowed_to_edit
+
        private

+        def user_allowed_to_edit
+          errors.add :error_unauthorized, '' unless @can.allowed?(model, :edit)
+        end
+
        # TODO: when someone every fixes the way errors are added in the contract:
        # find a solution to ensure that THIS validation supersedes others (i.e. show 404 if
        # there is no access allowed)