* working on Issue 145: Direct links for sensitive oprations

git-svn-id: http://redmine-dmsf.googlecode.com/svn/trunk/redmine_dmsf@235 5e329b0b-a2ee-ea63-e329-299493fc886d
2011-09-23 08:14:30 +00:00 · 2011-09-23 08:14:30 +00:00 · 443e497d74
commit 443e497d74
parent 2627b392e0
2 changed files with 24 additions and 7 deletions
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@ -24,6 +24,9 @@ class DmsfController < ApplicationController
  before_filter :find_folder, :except => [:new, :create, :edit_root, :save_root]
  before_filter :find_parent, :only => [:new, :create]
  
+  verify :method => :post, :only => [:delete_entries, :create, :save, :delete, :save_root, :notify_activate, :notify_deactivate], 
+    :render => { :nothing => true, :status => :method_not_allowed }
+  
  def show
    if @folder.nil?
      @subfolders = DmsfFolder.project_root_folders(@project)
--- a/app/views/dmsf/show.html.erb
+++ b/app/views/dmsf/show.html.erb
@ -69,13 +69,13 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder
 				<% if User.current.allowed_to?(:file_approval, @project) %>
 					<div class="right_icon_box">
 					<% if subfolder.notification %>
-						<%= link_to(image_tag("notify.png", :plugin => "redmine_dmsf"),
-			        			{:action => "notify_deactivate", :id => @project,
-								:folder_id => subfolder}, :title => l(:title_notifications_active_deactivate)) %>
+						<%= link_to_function(image_tag("notify.png", :plugin => "redmine_dmsf"),
+			        			"manipulation_link('#{url_for(:action => 'notify_deactivate', :id => @project, :folder_id => subfolder)}')",
+								 :title => l(:title_notifications_active_deactivate)) %>
 					<% else %>
-						<%= link_to(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
-			        			{:action => "notify_activate", :id => @project, 
-								:folder_id => subfolder}, :title => l(:title_notifications_not_active_activate)) %>
+						<%= link_to_function(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
+			        			"manipulation_link('#{url_for(:action => 'notify_activate', :id => @project, :folder_id => subfolder)}')", 
+								:title => l(:title_notifications_not_active_activate)) %>
 					<% end %>
 					</div>
 				<% end %>
@ -188,7 +188,10 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder

 <script type="text/javascript">
 	jQuery("a.delete-link").click(function(event) {
-		if(!window.confirm("<%= l(:question_do_you_really_want_to_delete_this_entry) %>")) event.preventDefault();
+		event.preventDefault();
+		if(!window.confirm("<%= l(:question_do_you_really_want_to_delete_this_entry) %>")) return;
+		jQuery("#entries_form").attr("action", jQuery(this).attr("href"));
+		jQuery("#entries_form").submit();
 	})
 	
 	jQuery("#entries_delete_button").click(function(event) {
@ -258,6 +261,17 @@ sUrl = "jquery.dataTables/#{I18n.locale.to_s.downcase}.json" if I18n.locale && !
 		        }
 	      	});
 		});
+		
+		function manipulation_link(action) {
+			jQuery("#entries_form").attr("action", action);
+			jQuery("#entries_form").submit();
+		};
+		
+		function confirmation_link(action) {
+			if(!window.confirm("<%= l(:question_do_you_really_want_to_delete_this_entry) %>")) return;
+			jQuery("#entries_form").attr("action", action);
+			jQuery("#entries_form").submit();
+		};
 	</script>
 <% end %>