From acfd55a2582fa8bf7cc261510c2e4789b8956ecc Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Mon, 27 Oct 2014 13:26:24 -0400 Subject: [PATCH] add authorize to delete to controller, fix private map message, fix new map css issue --- app/assets/stylesheets/application.css | 2 +- app/controllers/maps_controller.rb | 22 +++++++++++++++------- app/models/map.rb | 7 +++++++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css index 1ae46f4d..ea524f6d 100644 --- a/app/assets/stylesheets/application.css +++ b/app/assets/stylesheets/application.css @@ -2297,7 +2297,7 @@ and it won't be important on password protected instances */ #newmap_co:hover, #newmap_co.selected { background-position: 0 -64px; } -#newmap_pu:hover, #newmap_co.selected { +#newmap_pu:hover, #newmap_pu.selected { background-position: -64px -64px; } #newmap_pr:hover, #newmap_pr.selected { diff --git a/app/controllers/maps_controller.rb b/app/controllers/maps_controller.rb index c3159b63..8975870b 100644 --- a/app/controllers/maps_controller.rb +++ b/app/controllers/maps_controller.rb @@ -208,18 +208,26 @@ class MapsController < ApplicationController def destroy @current = current_user - @map = Map.find(params[:id]) + @map = Map.find(params[:id]).authorize_to_delete(@current) - @mappings = @map.mappings + if @map + @mappings = @map.mappings - @mappings.each do |mapping| - mapping.delete + @mappings.each do |mapping| + mapping.delete + end + + @map.delete end - @map.delete - respond_to do |format| - format.html { redirect_to "/maps/mappers/" + @current.id.to_s, notice: "Map deleted." } + format.json { + if @map + render json: "success" + else + render json: "unauthorized" + end + } end end end diff --git a/app/models/map.rb b/app/models/map.rb index 9cc39fe3..fcfefc81 100644 --- a/app/models/map.rb +++ b/app/models/map.rb @@ -86,6 +86,13 @@ class Map < ActiveRecord::Base ##### PERMISSIONS ###### + def authorize_to_delete(user) + if (self.user != user) + return false + end + return self + end + # returns false if user not allowed to 'show' Topic, Synapse, or Map def authorize_to_show(user) if (self.permission == "private" && self.user != user)