Use of lifecycle.valid_key? in viewable_by?
Reported by James Garlick | September 8th, 2008 @ 02:37 PM
lifecycle.provided_key
should be set before the
can_view?
permission is tested during a lifecycle
transition action so that you can do a test like
lifecycle.valid_key?
in viewable_by?
Suggested change to prepare_for_transition in model_controller.rb:
def prepare_for_transition(name, options={})
self.this = model.find(params[:id])
this.exempt_from_edit_checks = true
this.lifecycle.provided_key = params[:key]
raise Hobo::Model::PermissionDeniedError unless Hobo.can_view?(current_user, this)
@transition = this.lifecycle.find_transition(name, current_user)
end
Comments and changes to this ticket
-
Tom Locke September 9th, 2008 @ 05:32 PM
Before this change you're suggesting, view permission wasn't checked at all by the looks of it. Is that right?
-
James Garlick September 9th, 2008 @ 09:55 PM
No, the current implementation calls find_instance rather than model.find, which calls user_find
-
Tom Locke September 11th, 2008 @ 10:15 AM
- State changed from new to open
-
Tom Locke September 15th, 2008 @ 11:42 AM
- State changed from open to resolved
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »