senaduka/old-holivud2
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

prevent non-authorized users to access medical release files

Browse Source
This commit is contained in:
bilal
2020-06-18 14:33:49 +02:00
parent 988ef2beab
commit 88ec777299
7 changed files with 214 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/contracts_controller.rb
View File

@@ -48,8 +48,10 @@ class ContractsController < ApplicationController
# Native release contracts must be generated on-the-fly; non-native releases have a contract attachment
if releasable.native?
send_file contract.to_pdf, download_attributes
else
elsif policy(contract).show?
redirect_to releasable.contract.service_url
else
raise Pundit::NotAuthorizedError
end
end
end

4
app/models/contract.rb
View File

@@ -29,6 +29,10 @@ class Contract
}
end
def medical_release?
@releasable.instance_of?(MedicalRelease)
end
private
def contract_template

6
app/policies/contract_policy.rb
View File

@@ -1,5 +1,9 @@
class ContractPolicy < ApplicationPolicy
def show?
user.manager? || user.account_manager?
if record.respond_to?(:medical_release?) && record.medical_release?
user.account_manager?
else
user.manager? || user.account_manager?
end
end
end

6
app/policies/medical_release_policy.rb
View File

@@ -31,7 +31,11 @@ class MedicalReleasePolicy < ReleasePolicy
true
end
def download_single?
user.account_manager?
end
def download_multiple?
true
download_single?
end
end

2
app/views/medical_releases/_medical_release.html.erb
View File

@@ -37,7 +37,7 @@
<% if policy(medical_release.tags).new? %>
<%= link_to fa_icon("tags fw", text: "Tags"), [:new, medical_release, :acts_as_taggable_on_tag], class: "dropdown-item", remote: true %>
<% end %>
<% if policy(Contract).show? && (medical_release.contract.attached? || medical_release.contract_template.present?) %>
<% if policy(MedicalRelease).download_single? && policy(Contract).show? && (medical_release.contract.attached? || medical_release.contract_template.present?) %>
<%= link_to fa_icon("download fw", text: "Download"), [medical_release, :contracts, format: "pdf"], class: "dropdown-item", target: "_blank" %>
<% end %>
<% if policy(medical_release).destroy? %>