From c7177593aaf2b1b8fd8dbd53b9cfb6562e1411d7 Mon Sep 17 00:00:00 2001 From: jessib Date: Mon, 5 Nov 2012 13:18:43 -0800 Subject: Use the same URL for viewing tickets when authenticated or not---the couchdb ID will be the random string for the secret URL. Tickets created when user was unauthenticated will be viewable by anybody who knows the URL. --- help/app/controllers/tickets_controller.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'help/app/controllers') diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb index 4130ee6..a9e0bd4 100644 --- a/help/app/controllers/tickets_controller.rb +++ b/help/app/controllers/tickets_controller.rb @@ -41,7 +41,7 @@ class TicketsController < ApplicationController def update @ticket = Ticket.find(params[:id]) - if !ticket_access_denied? + if !ticket_access_denied? #can update w/out logging in if the ticket was created unauthenticated #below is excessively complicated. issue is that we don't need a new comment if we have changed anything else (currently, is_open is the only other thing to change.) However, if we don't change anything else, then we want to try to add a new comment (and possibly fail.) Likely this should all be redone. @ticket.is_open = params[:ticket][:is_open] @@ -93,9 +93,10 @@ class TicketsController < ApplicationController private + def ticket_access_denied? - # TODO---we will allow unauthenticated users to view tickets with a code - if !admin? and current_user.id != @ticket.created_by + # allow access if user is admin, the ticket was created without unauthentication (thus anybody with URL can access ticket where created_by is nil), or if there is a non-admin user and they created the ticket + if !admin? and @ticket.created_by and (!current_user or current_user.id != @ticket.created_by) @ticket = nil access_denied end -- cgit v1.2.3