From c20ded5a2f7fd7c93eb5b7f24e9b8b6054a8218d Mon Sep 17 00:00:00 2001 From: Florian Kraft Date: Wed, 19 Aug 2015 17:33:35 +0200 Subject: [PATCH] add checks around the actions for each block Otherwise, anon users can access the controls and start editing content (unsuccessfully) though Signed-off-by: Florian Kraft --- app/views/my_projects_overviews/_block.html.erb | 2 ++ .../_block_textilizable.html.erb | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/app/views/my_projects_overviews/_block.html.erb b/app/views/my_projects_overviews/_block.html.erb index a1df7ea3bb..057d68e0c6 100644 --- a/app/views/my_projects_overviews/_block.html.erb +++ b/app/views/my_projects_overviews/_block.html.erb @@ -24,12 +24,14 @@ See doc/COPYRIGHT.md for more details. <% block_name_id = "my_page_#{block_name}_box_actions" %> <% content_for block_name_id do %>
+ <% if User.current.allowed_to?(:remove_block, nil, global: true) %> <%= link_to_remote l(:button_delete), { :confirm => l(:label_confirm_delete), :url => { :action => "remove_block", :block => block_name }, :class => "icon icon-delete" } %> + <% end %>
<% end %> diff --git a/app/views/my_projects_overviews/_block_textilizable.html.erb b/app/views/my_projects_overviews/_block_textilizable.html.erb index 35a1aaa7bc..64647839fd 100644 --- a/app/views/my_projects_overviews/_block_textilizable.html.erb +++ b/app/views/my_projects_overviews/_block_textilizable.html.erb @@ -49,14 +49,17 @@ See doc/COPYRIGHT.md for more details.
- <%= l(:button_edit) %> - - <%= link_to_remote l(:button_delete), { - :confirm => l(:label_confirm_delete), + <% unless User.current.anonymous? %> + <%= l(:button_edit) %> + <% end %> + <% if User.current.allowed_to?(:remove_block, nil, global: true) %> + <%= link_to_remote l(:button_delete), { + :confirm => l(:label_confirm_delete), :url => { :action => "remove_block", :block => block_name }, :class => "icon icon-delete" } - %> + %> + <% end %>
<% end %>