mapper who doesn't own a topic or synapse should not be able to delete it.

2015-01-28 22:35:03 -05:00 · 2015-01-28 22:35:03 -05:00 · a048c87356
parent c61de991af
commit a048c87356
5 changed files with 51 additions and 29 deletions
--- a/app/assets/javascripts/src/Metamaps.js
+++ b/app/assets/javascripts/src/Metamaps.js
@ -2751,6 +2751,9 @@ Metamaps.Control = {

        var node = Metamaps.Visualize.mGraph.graph.getNode(nodeid);
        var topic = node.getData('topic');
+        
+        var permToDelete = Metamaps.Active.Mapper.id === topic.get('user_id');
+        if (permToDelete) {
            var topicid = topic.id;
            var mapping = node.getData('mapping');
            topic.destroy();
@ -2759,6 +2762,7 @@ Metamaps.Control = {
                topicid: topicid
            }]);
            Metamaps.Control.hideNode(nodeid);
+        }
    },
    removeSelectedNodes: function () { // refers to removing topics permanently from a map

@ -2918,6 +2922,9 @@ Metamaps.Control = {

        var synapse = edge.getData("synapses")[index];
        var mapping = edge.getData("mappings")[index];
+            
+        var permToDelete = Metamaps.Active.Mapper.id === synapse.get('user_id');
+        if (permToDelete) {
            var synapseid = synapse.id;
            synapse.destroy();

@ -2931,6 +2938,7 @@ Metamaps.Control = {
            $(document).trigger(Metamaps.JIT.events.deleteSynapse, [{
                synapseid: synapseid
            }]);
+        }
    },
    removeSelectedEdges: function () {
        var l = Metamaps.Selected.Edges.length,
--- a/app/controllers/synapses_controller.rb
+++ b/app/controllers/synapses_controller.rb
@ -49,16 +49,16 @@ class SynapsesController < ApplicationController
  # DELETE synapses/:id
  def destroy
    @current = current_user
-    @synapse = Synapse.find(params[:id]).authorize_to_edit(@current)
+    @synapse = Synapse.find(params[:id]).authorize_to_delete(@current)

+    if @synapse
      @synapse.mappings.each do |m|
-    
        m.map.touch(:updated_at)
-          
        m.delete
      end

-    @synapse.delete if @synapse
+      @synapse.delete
+    end
      
    respond_to do |format|
      format.json { head :no_content }
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -200,7 +200,7 @@ class TopicsController < ApplicationController
    # DELETE topics/:id
    def destroy
        @current = current_user
-        @topic = Topic.find(params[:id]).authorize_to_edit(@current)
+        @topic = Topic.find(params[:id]).authorize_to_delete(@current)

        if @topic 
            @synapses = @topic.synapses
@ -230,7 +230,7 @@ class TopicsController < ApplicationController
        end

        respond_to do |format|
-            format.js { render :json => "success" }
+            format.json { head :no_content }
        end
    end
 end
--- a/app/models/synapse.rb
+++ b/app/models/synapse.rb
@ -40,6 +40,13 @@ class Synapse < ActiveRecord::Base
 	return self
  end

+  def authorize_to_delete(user)  
+    if (self.user != user)
+      return false
+    end
+    return self
+  end
+  
  # returns Boolean if user allowed to view Topic, Synapse, or Map
  def authorize_to_view(user)  
 	if (self.permission == "private" && self.user != user)
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -111,6 +111,13 @@ class Topic < ActiveRecord::Base
 	return self
  end

+  def authorize_to_delete(user)  
+    if (self.user != user)
+      return false
+    end
+    return self
+  end
+  
  # returns Boolean if user allowed to view Topic, Synapse, or Map
  def authorize_to_view(user)  
 	if (self.permission == "private" && self.user != user)