consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix access restriction in valuation budget investments controller

Browse Source 
Since we allow many active budgets at the same time, the
controller should now check the budget given by params.

Before this change the controller was checking the latest
published budget, ignoring the request parameter `budget_id`.
This commit is contained in:
Senén Rodero Rodríguez
2023-01-13 15:29:37 +01:00
parent 0c09fd22af
commit cdd26dd568
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/valuation/budget_investments_controller.rb
View File

@@ -4,9 +4,9 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController
feature_flag :budgets
before_action :load_budget
before_action :restrict_access_to_assigned_items, only: [:show, :edit, :valuate]
before_action :restrict_access, only: [:edit, :valuate]
before_action :load_budget
before_action :load_investment, only: [:show, :edit, :valuate]
has_orders %w[oldest], only: [:show, :edit]
@@ -110,7 +110,7 @@ class Valuation::BudgetInvestmentsController < Valuation::BaseController
end
def restrict_access
unless current_user.administrator? || current_budget.valuating?
unless current_user.administrator? || @budget.valuating?
raise CanCan::AccessDenied, I18n.t("valuation.budget_investments.not_in_valuating_phase")
end
end