summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjessib <jessib@riseup.net>2012-11-05 13:18:43 -0800
committerjessib <jessib@riseup.net>2012-11-05 13:18:43 -0800
commitc7177593aaf2b1b8fd8dbd53b9cfb6562e1411d7 (patch)
tree476e067b49bc740890e44e5abbf42408ee41d6d2
parent3515a598341282c20feb5950a81f43552280688d (diff)
Use the same URL for viewing tickets when authenticated or not---the couchdb ID will be the random string for the secret URL.
Tickets created when user was unauthenticated will be viewable by anybody who knows the URL.
-rw-r--r--help/app/controllers/tickets_controller.rb7
-rw-r--r--help/app/models/ticket.rb8
-rw-r--r--help/app/views/tickets/show.html.haml7
-rw-r--r--users/app/controllers/controller_extension/authentication.rb2
4 files changed, 12 insertions, 12 deletions
diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb
index 4130ee6..a9e0bd4 100644
--- a/help/app/controllers/tickets_controller.rb
+++ b/help/app/controllers/tickets_controller.rb
@@ -41,7 +41,7 @@ class TicketsController < ApplicationController
def update
@ticket = Ticket.find(params[:id])
- if !ticket_access_denied?
+ if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated
#below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone.
@ticket.is_open = params[:ticket][:is_open]
@@ -93,9 +93,10 @@ class TicketsController < ApplicationController
private
+
def ticket_access_denied?
- # TODO---we will allow unauthenticated users to view tickets with a code
- if !admin? and current_user.id != @ticket.created_by
+ # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket
+ if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by)
@ticket = nil
access_denied
end
diff --git a/help/app/models/ticket.rb b/help/app/models/ticket.rb
index 6301e9e..eaad574 100644
--- a/help/app/models/ticket.rb
+++ b/help/app/models/ticket.rb
@@ -23,14 +23,14 @@ class Ticket < CouchRest::Model::Base
#property :user_verified, TrueClass, :default => false #will be true exactly when user is set
#admins
- property :code, String, :protected => true # only should be set if created_by is nil
+ #property :code, String, :protected => true # only should be set if created_by is nil #instead we will just use couchdb ID
property :is_open, TrueClass, :default => true
property :comments, [TicketComment]
timestamps!
#before_validation :set_created_by, :set_code, :set_email, :on => :create
- before_validation :set_code, :set_email, :on => :create
+ before_validation :set_email, :on => :create
#named_scope :open, :conditions => {:is_open => true} #??
@@ -59,10 +59,12 @@ class Ticket < CouchRest::Model::Base
!!created_by
end
- def set_code
+=begin
+ def set_code #let's not use this---can use same show url
# ruby 1.9 provides url-safe option---this is not necessarily url-safe
self.code = SecureRandom.hex(8) if !is_creator_validated?
end
+=end
def set_email
diff --git a/help/app/views/tickets/show.html.haml b/help/app/views/tickets/show.html.haml
index 3fb1d34..92b8d03 100644
--- a/help/app/views/tickets/show.html.haml
+++ b/help/app/views/tickets/show.html.haml
@@ -5,9 +5,6 @@
- if flash[:alert]
=flash[:alert]
%h2= @ticket.title
-- if @ticket.code
- code:
- = @ticket.code
- if @ticket.email
email:
= @ticket.email
@@ -24,6 +21,6 @@
= #render :partial => 'new_comment'
= f.label :is_open
= f.select :is_open, [true, false]
- = f.button :submit # have button to close
- = # want to ahve button to close
+ = f.button :submit
+ = # TODO want to have button to close
= link_to t(:cancel), tickets_path, :class => :btn \ No newline at end of file
diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb
index ebd80b0..598d8a9 100644
--- a/users/app/controllers/controller_extension/authentication.rb
+++ b/users/app/controllers/controller_extension/authentication.rb
@@ -21,7 +21,7 @@ module ControllerExtension::Authentication
def access_denied
redirect_to login_url, :alert => "Not authorized" if !logged_in?
- redirect_to root_url, :alert => "Not authorized"
+ redirect_to root_url, :alert => "Not authorized" if logged_in?
end
def admin?