From bce512c1ad5cc84992100adb83c5887ed391070e Mon Sep 17 00:00:00 2001
From: "vit.jonas@gmail.com"
 <vit.jonas@gmail.com@5e329b0b-a2ee-ea63-e329-299493fc886d>
Date: Sun, 25 Sep 2011 08:11:28 +0000
Subject: [PATCH] * work on Issue 145: Direct links for sensitive oprations

git-svn-id: http://redmine-dmsf.googlecode.com/svn/trunk/redmine_dmsf@237 5e329b0b-a2ee-ea63-e329-299493fc886d
---
 app/controllers/dmsf_files_controller.rb      |  3 ++
 app/views/dmsf/show.html.erb                  | 36 ++++++++-----------
 .../dmsf_files/_file_new_revision.html.erb    |  2 +-
 app/views/dmsf_files/show.html.erb            | 19 +++++-----
 4 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/app/controllers/dmsf_files_controller.rb b/app/controllers/dmsf_files_controller.rb
index 1a190a59..dca46cff 100644
--- a/app/controllers/dmsf_files_controller.rb
+++ b/app/controllers/dmsf_files_controller.rb
@@ -25,6 +25,9 @@ class DmsfFilesController < ApplicationController
   before_filter :find_revision, :only => [:delete_revision]
   before_filter :authorize
 
+  verify :method => :post, :only => [:create_revision, :delete_revision, :delete, :lock, :unlock, :notify_activate, :notify_deactivate], 
+    :render => { :nothing => true, :status => :method_not_allowed }
+
   def show
     # download is put here to provide more clear and usable links
     if params.has_key?(:download)
diff --git a/app/views/dmsf/show.html.erb b/app/views/dmsf/show.html.erb
index 8eea7948..9b7c7732 100644
--- a/app/views/dmsf/show.html.erb
+++ b/app/views/dmsf/show.html.erb
@@ -88,10 +88,9 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder
  					</div>
 					<% end %>
 					<div style="float: right">
-						<%= link_to(image_tag("delete.png", :plugin => "redmine_dmsf"), 
-								{:action => "delete", :id => @project, 
-								:folder_id => @folder, :delete_folder_id => subfolder}, :class => "delete-link",
-								:title => l(:title_delete)) if User.current.allowed_to?(:folder_manipulation, @project) %>
+						<%= link_to_function(image_tag("delete.png", :plugin => "redmine_dmsf"),
+								"confirmation_link('#{url_for(:action => 'delete', :id => @project, :folder_id => @folder, :delete_folder_id => subfolder)}')", 
+								:title => l(:title_delete))%>
 					</div>
 				</div>
 				<br class="clear" />
@@ -139,12 +138,12 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder
 				<% if User.current.allowed_to?(:file_approval, @project) %>
 					<div class="right_icon_box">
 					<% if file.notification %>
-						<%= link_to(image_tag("notify.png", :plugin => "redmine_dmsf"),
-			        			{:controller => "dmsf_files", :action => "notify_deactivate", :id => file},
+						<%= link_to_function(image_tag("notify.png", :plugin => "redmine_dmsf"),
+								"manipulation_link('#{url_for(:controller => "dmsf_files", :action => 'notify_deactivate', :id => file)}')",
 								:title => l(:title_notifications_active_deactivate)) %>
 					<% else %>
-						<%= link_to(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
-			        			{:controller => "dmsf_files", :action => "notify_activate", :id => file},
+						<%= link_to_function(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
+								"manipulation_link('#{url_for(:controller => "dmsf_files", :action => 'notify_activate', :id => file)}')",
 								:title => l(:title_notifications_not_active_activate)) %>
 					<% end %>
 					</div>
@@ -158,20 +157,20 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder
 					<div style="float: right; width: 44px;">
 					<% unless file.locked_for_user? && !User.current.allowed_to?(:force_file_unlock, @project)%>
 						<% 	if file.locked? %>
-							<%= link_to(image_tag("unlock.png", :plugin => "redmine_dmsf"),
-					        		{:controller => "dmsf_files", :action => "unlock", :id => file },
+							<%= link_to_function(image_tag("unlock.png", :plugin => "redmine_dmsf"),
+									"manipulation_link('#{url_for(:controller => "dmsf_files", :action => 'unlock', :id => file)}')",
 									:title => l(:title_unlock_file)) %>
 						<% 	else %>
-							<%= link_to(image_tag("lock.png", :plugin => "redmine_dmsf"),
-					        		{:controller => "dmsf_files", :action => "lock", :id => file },
+							<%= link_to_function(image_tag("lock.png", :plugin => "redmine_dmsf"),
+									"manipulation_link('#{url_for(:controller => "dmsf_files", :action => 'lock', :id => file)}')",
 									:title => l(:title_lock_file)) %>
 						<% 	end %> 
 						&nbsp;
 					<% end %>
 					<% if User.current.allowed_to?(:file_manipulation, @project) && !file.locked_for_user? %>
-						<%= link_to(image_tag("delete.png", :plugin => "redmine_dmsf"), 
-								{:controller => "dmsf_files", :action => "delete", :id => file}, 
-								:class => "delete-link", :title => l(:title_delete)) %>
+						<%= link_to_function(image_tag("delete.png", :plugin => "redmine_dmsf"),
+								"confirmation_link('#{url_for(:controller => "dmsf_files", :action => 'delete', :id => file)}')",
+								:title => l(:title_delete)) %>
 					<% end %>
 					</div>
 				</div>
@@ -187,13 +186,6 @@ form_tag({:action => "entries_operation", :id => @project, :folder_id => @folder
 <% end %>
 
 <script type="text/javascript">
-	jQuery("a.delete-link").click(function(event) {
-		event.preventDefault();
-		if(!window.confirm("<%= l(:question_do_you_really_want_to_delete_this_entry) %>")) return;
-		jQuery("#entries_form").attr("action", jQuery(this).attr("href"));
-		jQuery("#entries_form").submit();
-	})
-	
 	jQuery("#entries_delete_button").click(function(event) {
 		if(window.confirm("<%= l(:question_do_you_really_want_to_delete_entries) %>")) {
 			jQuery("#entries_form").attr("action", "<%= url_for(:action => 'delete_entries', :id => @project, :folder_id => @folder) %>");
diff --git a/app/views/dmsf_files/_file_new_revision.html.erb b/app/views/dmsf_files/_file_new_revision.html.erb
index 92793ab8..a7d8c048 100644
--- a/app/views/dmsf_files/_file_new_revision.html.erb
+++ b/app/views/dmsf_files/_file_new_revision.html.erb
@@ -19,7 +19,7 @@ else
 end
 
 form_for(:dmsf_file_revision, @revision, :url => {:action => "create_revision", :id => @file},
-	:html => {:method=>:post, :multipart => true}) do |f|
+	:html => {:method=>:post, :multipart => true, :id => "new_revision_form"}) do |f|
 %>
 				<div class="clear">
 					<div class="splitcontentleft">
diff --git a/app/views/dmsf_files/show.html.erb b/app/views/dmsf_files/show.html.erb
index 61912280..2964d142 100644
--- a/app/views/dmsf_files/show.html.erb
+++ b/app/views/dmsf_files/show.html.erb
@@ -4,7 +4,7 @@
 	<% if User.current.allowed_to?(:file_manipulation, @project) %>
 		<% unless @file.locked_for_user? && !User.current.allowed_to?(:force_file_unlock, @project)%>
 			<% if @file.locked? %>
-				<%= link_to(image_tag("unlock.png", :plugin => "redmine_dmsf"),
+				<%= link_to_function(image_tag("unlock.png", :plugin => "redmine_dmsf"),
 		        		{:action => "unlock", :id => @file, :current => request.url },
 						:title => l(:title_unlock_file)) %>
 			<% 	else %>
@@ -175,14 +175,15 @@ sUrl = "jquery.dataTables/#{I18n.locale.to_s.downcase}.json" if I18n.locale && !
 	<script type="text/javascript">
 		jQuery.noConflict();
 		
-		function copyFile() {
-			var $copyDialog = jQuery('#copyDialog');
-			$copyDialog.dialog({ 
-				autoOpen: false,
-				title: "Copy file" 
-			});
-			$copyDialog.dialog('open')
-		}
+		function manipulation_link(action) {
+			jQuery("#new_revision_form").attr("action", action);
+			jQuery("#new_revision_form").submit();
+		};
 		
+		function confirmation_link(action, question) {
+			if(!window.confirm(question)) return;
+			jQuery("#new_revision_form").attr("action", action);
+			jQuery("#new_revision_form").submit();
+		};
 	</script>
 <% end %>
\ No newline at end of file