summaryrefslogtreecommitdiff
path: root/help/app/controllers
diff options
context:
space:
mode:
authorjessib <jessib@riseup.net>2012-11-05 13:18:43 -0800
committerjessib <jessib@riseup.net>2012-11-05 13:18:43 -0800
commitc7177593aaf2b1b8fd8dbd53b9cfb6562e1411d7 (patch)
tree476e067b49bc740890e44e5abbf42408ee41d6d2 /help/app/controllers
parent3515a598341282c20feb5950a81f43552280688d (diff)
Use the same URL for viewing tickets when authenticated or not---the couchdb ID will be the random string for the secret URL.
Tickets created when user was unauthenticated will be viewable by anybody who knows the URL.
Diffstat (limited to 'help/app/controllers')
-rw-r--r--help/app/controllers/tickets_controller.rb7
1 files changed, 4 insertions, 3 deletions
diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb
index 4130ee6..a9e0bd4 100644
--- a/help/app/controllers/tickets_controller.rb
+++ b/help/app/controllers/tickets_controller.rb
@@ -41,7 +41,7 @@ class TicketsController < ApplicationController
def update
@ticket = Ticket.find(params[:id])
- if !ticket_access_denied?
+ if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated
#below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone.
@ticket.is_open = params[:ticket][:is_open]
@@ -93,9 +93,10 @@ class TicketsController < ApplicationController
private
+
def ticket_access_denied?
- # TODO---we will allow unauthenticated users to view tickets with a code
- if !admin? and current_user.id != @ticket.created_by
+ # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket
+ if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by)
@ticket = nil
access_denied
end