diff options
-rw-r--r-- | help/app/controllers/tickets_controller.rb | 7 | ||||
-rw-r--r-- | help/app/models/ticket.rb | 8 | ||||
-rw-r--r-- | help/app/views/tickets/show.html.haml | 7 | ||||
-rw-r--r-- | users/app/controllers/controller_extension/authentication.rb | 2 |
4 files changed, 12 insertions, 12 deletions
diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb index 4130ee6..a9e0bd4 100644 --- a/help/app/controllers/tickets_controller.rb +++ b/help/app/controllers/tickets_controller.rb @@ -41,7 +41,7 @@ class TicketsController < ApplicationController def update @ticket = Ticket.find(params[:id]) - if !ticket_access_denied? + if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated #below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone. @ticket.is_open = params[:ticket][:is_open] @@ -93,9 +93,10 @@ class TicketsController < ApplicationController private + def ticket_access_denied? - # TODO---we will allow unauthenticated users to view tickets with a code - if !admin? and current_user.id != @ticket.created_by + # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket + if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by) @ticket = nil access_denied end diff --git a/help/app/models/ticket.rb b/help/app/models/ticket.rb index 6301e9e..eaad574 100644 --- a/help/app/models/ticket.rb +++ b/help/app/models/ticket.rb @@ -23,14 +23,14 @@ class Ticket < CouchRest::Model::Base #property :user_verified, TrueClass, :default => false #will be true exactly when user is set #admins - property :code, String, :protected => true # only should be set if created_by is nil + #property :code, String, :protected => true # only should be set if created_by is nil #instead we will just use couchdb ID property :is_open, TrueClass, :default => true property :comments, [TicketComment] timestamps! #before_validation :set_created_by, :set_code, :set_email, :on => :create - before_validation :set_code, :set_email, :on => :create + before_validation :set_email, :on => :create #named_scope :open, :conditions => {:is_open => true} #?? @@ -59,10 +59,12 @@ class Ticket < CouchRest::Model::Base !!created_by end - def set_code +=begin + def set_code #let's not use this---can use same show url # ruby 1.9 provides url-safe option---this is not necessarily url-safe self.code = SecureRandom.hex(8) if !is_creator_validated? end +=end def set_email diff --git a/help/app/views/tickets/show.html.haml b/help/app/views/tickets/show.html.haml index 3fb1d34..92b8d03 100644 --- a/help/app/views/tickets/show.html.haml +++ b/help/app/views/tickets/show.html.haml @@ -5,9 +5,6 @@ - if flash[:alert] =flash[:alert] %h2= @ticket.title -- if @ticket.code - code: - = @ticket.code - if @ticket.email email: = @ticket.email @@ -24,6 +21,6 @@ = #render :partial => 'new_comment' = f.label :is_open = f.select :is_open, [true, false] - = f.button :submit # have button to close - = # want to ahve button to close + = f.button :submit + = # TODO want to have button to close = link_to t(:cancel), tickets_path, :class => :btn
\ No newline at end of file diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb index ebd80b0..598d8a9 100644 --- a/users/app/controllers/controller_extension/authentication.rb +++ b/users/app/controllers/controller_extension/authentication.rb @@ -21,7 +21,7 @@ module ControllerExtension::Authentication def access_denied redirect_to login_url, :alert => "Not authorized" if !logged_in? - redirect_to root_url, :alert => "Not authorized" + redirect_to root_url, :alert => "Not authorized" if logged_in? end def admin? |