From a048c8735618a3a95116421a27fb747d4e3aba1e Mon Sep 17 00:00:00 2001 From: Connor Turland Date: Wed, 28 Jan 2015 22:35:03 -0500 Subject: [PATCH] mapper who doesn't own a topic or synapse should not be able to delete it. --- app/assets/javascripts/src/Metamaps.js | 46 +++++++++++++++----------- app/controllers/synapses_controller.rb | 16 ++++----- app/controllers/topics_controller.rb | 4 +-- app/models/synapse.rb | 7 ++++ app/models/topic.rb | 7 ++++ 5 files changed, 51 insertions(+), 29 deletions(-) diff --git a/app/assets/javascripts/src/Metamaps.js b/app/assets/javascripts/src/Metamaps.js index 86875ecc..07e9af96 100644 --- a/app/assets/javascripts/src/Metamaps.js +++ b/app/assets/javascripts/src/Metamaps.js @@ -2751,14 +2751,18 @@ Metamaps.Control = { var node = Metamaps.Visualize.mGraph.graph.getNode(nodeid); var topic = node.getData('topic'); - var topicid = topic.id; - var mapping = node.getData('mapping'); - topic.destroy(); - Metamaps.Mappings.remove(mapping); - $(document).trigger(Metamaps.JIT.events.deleteTopic, [{ - topicid: topicid - }]); - Metamaps.Control.hideNode(nodeid); + + var permToDelete = Metamaps.Active.Mapper.id === topic.get('user_id'); + if (permToDelete) { + var topicid = topic.id; + var mapping = node.getData('mapping'); + topic.destroy(); + Metamaps.Mappings.remove(mapping); + $(document).trigger(Metamaps.JIT.events.deleteTopic, [{ + topicid: topicid + }]); + Metamaps.Control.hideNode(nodeid); + } }, removeSelectedNodes: function () { // refers to removing topics permanently from a map @@ -2918,19 +2922,23 @@ Metamaps.Control = { var synapse = edge.getData("synapses")[index]; var mapping = edge.getData("mappings")[index]; - var synapseid = synapse.id; - synapse.destroy(); + + var permToDelete = Metamaps.Active.Mapper.id === synapse.get('user_id'); + if (permToDelete) { + var synapseid = synapse.id; + synapse.destroy(); - // the server will destroy the mapping, we just need to remove it here - Metamaps.Mappings.remove(mapping); - edge.getData("mappings").splice(index, 1); - edge.getData("synapses").splice(index, 1); - if (edge.getData("displayIndex")) { - delete edge.data.$displayIndex; + // the server will destroy the mapping, we just need to remove it here + Metamaps.Mappings.remove(mapping); + edge.getData("mappings").splice(index, 1); + edge.getData("synapses").splice(index, 1); + if (edge.getData("displayIndex")) { + delete edge.data.$displayIndex; + } + $(document).trigger(Metamaps.JIT.events.deleteSynapse, [{ + synapseid: synapseid + }]); } - $(document).trigger(Metamaps.JIT.events.deleteSynapse, [{ - synapseid: synapseid - }]); }, removeSelectedEdges: function () { var l = Metamaps.Selected.Edges.length, diff --git a/app/controllers/synapses_controller.rb b/app/controllers/synapses_controller.rb index c048627c..6ff1537b 100644 --- a/app/controllers/synapses_controller.rb +++ b/app/controllers/synapses_controller.rb @@ -49,16 +49,16 @@ class SynapsesController < ApplicationController # DELETE synapses/:id def destroy @current = current_user - @synapse = Synapse.find(params[:id]).authorize_to_edit(@current) + @synapse = Synapse.find(params[:id]).authorize_to_delete(@current) - @synapse.mappings.each do |m| - - m.map.touch(:updated_at) - - m.delete + if @synapse + @synapse.mappings.each do |m| + m.map.touch(:updated_at) + m.delete + end + + @synapse.delete end - - @synapse.delete if @synapse respond_to do |format| format.json { head :no_content } diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index e39b67a8..ca24d1fb 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -200,7 +200,7 @@ class TopicsController < ApplicationController # DELETE topics/:id def destroy @current = current_user - @topic = Topic.find(params[:id]).authorize_to_edit(@current) + @topic = Topic.find(params[:id]).authorize_to_delete(@current) if @topic @synapses = @topic.synapses @@ -230,7 +230,7 @@ class TopicsController < ApplicationController end respond_to do |format| - format.js { render :json => "success" } + format.json { head :no_content } end end end diff --git a/app/models/synapse.rb b/app/models/synapse.rb index 4766f7ea..a1395648 100644 --- a/app/models/synapse.rb +++ b/app/models/synapse.rb @@ -39,6 +39,13 @@ class Synapse < ActiveRecord::Base end return self end + + def authorize_to_delete(user) + if (self.user != user) + return false + end + return self + end # returns Boolean if user allowed to view Topic, Synapse, or Map def authorize_to_view(user) diff --git a/app/models/topic.rb b/app/models/topic.rb index 4d9cd527..7e5fff94 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -110,6 +110,13 @@ class Topic < ActiveRecord::Base end return self end + + def authorize_to_delete(user) + if (self.user != user) + return false + end + return self + end # returns Boolean if user allowed to view Topic, Synapse, or Map def authorize_to_view(user)