76e05d58b1
Why: Non-admin users shouldn't be able to access, or know of the existence of a non-published Budget. How: Raising an ActionController::RoutingError (404 error) to simulate the same behaviour as accesing a non-existing Budget. We could have used CanCanCan abilities for this but then an user could be aware of existing but not published Budgets by trying different urls
21 lines
490 B
Ruby
21 lines
490 B
Ruby
class BudgetsController < ApplicationController
|
|
include FeatureFlags
|
|
include BudgetsHelper
|
|
feature_flag :budgets
|
|
|
|
load_and_authorize_resource
|
|
before_action :set_default_budget_filter, only: :show
|
|
has_filters %w{not_unfeasible feasible unfeasible unselected selected}, only: :show
|
|
|
|
respond_to :html, :js
|
|
|
|
def show
|
|
raise ActionController::RoutingError, 'Not Found' unless budget_published?(@budget)
|
|
end
|
|
|
|
def index
|
|
@budgets = @budgets.order(:created_at)
|
|
end
|
|
|
|
end
|