作业的增、删、改、查以及作业资料的下载增加权限控制

app/controllers/homework_attach_controller.rb

@@ -18,7 +18,8 @@ class HomeworkAttachController < ApplicationController
   end
 
   def create
-    #if User.current.logged? && (!Member.where('user_id = ? and project_id = ?', User.current.id, @bid.courses.first.id).first.nil? && (Member.where('user_id = ? and project_id = ?', User.current.id, @bid.courses.first.id).first.roles&Role.where('id = ? or id = ? or id =?',5, 10, 7)).size >0)
+    bid = Bid.find params[:bid_id]
+    if User.current.admin? || User.current.member_of?(bid.courses.first)
       user_id = params[:user_id]
       bid_id = params[:bid_id]
       sta = 0
@@ -32,7 +33,7 @@ class HomeworkAttachController < ApplicationController
           :bid_id => bid_id
       }
 
-      #@bid = Bid.find bid_id
+
       #@homework_list = @bid.homeworks
 
       @homework = HomeworkAttach.new(options)
@@ -45,27 +46,37 @@ class HomeworkAttachController < ApplicationController
           format.json { head :no_content }
         end
       else
+        render_403 :message => :notice_not_authorized
+      end
+    else
 
     end
-    #end
   end
 
   def new
-    @homework = HomeworkAttach.new
     @bid = Bid.find(params[:id])
-
+    if User.current.admin? || User.current.member_of?(@bid.courses.first)
+      @homework = HomeworkAttach.new
       respond_to do |format|
         format.html # new.html.erb
         format.json { render json: @homework }
       end
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   def edit
     @homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   def update
     @homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       name = params[:homework_name]
       description = params[:homework_description]
       @homework.name = name
@@ -80,10 +91,14 @@ class HomeworkAttachController < ApplicationController
         end
       else
       end
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   def destroy
     @homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       if @homework.destroy
         respond_to do |format|
           format.html { redirect_to project_for_bid_path @homework.bid }
@@ -91,11 +106,15 @@ class HomeworkAttachController < ApplicationController
         end
       else
       end
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   #显示作业信息
   def show
     @homework = HomeworkAttach.find(params[:id])
+    if User.current.admin? || User.current.member_of?(@homework.bid.courses.first)
       # 打分统计
       stars_reates = @homework.
           rates(:quality)
@@ -116,6 +135,9 @@ class HomeworkAttachController < ApplicationController
       @offset ||= @feedback_pages.offset
       @jour = @jours[@offset, @limit]
       @comprehensive_evaluation = @homework.journals_for_messages.where("is_comprehensive_evaluation is not null").order("created_on DESC")
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   #删除留言

app/controllers/zipdown_controller.rb

@@ -26,6 +26,8 @@ class ZipdownController < ApplicationController
     obj_id = params[:obj_id]
     user_id = params[:user_id]
     obj = obj_class.constantize.find(obj_id)
+
+    if User.current.admin? || User.current.member_of?(obj.courses.first)
       zipfile = nil
       case obj.class.to_s.to_sym
         when :Bid
@@ -34,6 +36,9 @@ class ZipdownController < ApplicationController
           logger.error "[ZipDown#assort] ===> #{obj.class.to_s.to_sym} unKown !!"
       end
       send_file zipfile, :filename => obj.name, :type => detect_content_type(zipfile) if zipfile
+    else
+      render_403 :message => :notice_not_authorized
+    end
   end
 
   private