#170 permission check in all controllers

app/controllers/dmsf_files_controller.rb

@@ -37,7 +37,9 @@ class DmsfFilesController < ApplicationController
   helper :dmsf
 
   def permissions
-    render_403 unless DmsfFolder.permissions(@file.dmsf_folder)
+    if @file
+      render_403 unless DmsfFolder.permissions(@file.dmsf_folder)
+    end
     true
   end
 

app/controllers/dmsf_files_copy_controller.rb

@@ -1,6 +1,7 @@
 # Redmine plugin for Document Management System "Features"
 #
-# Copyright (C) 2011   Vít Jonáš <vit.jonas@gmail.com>
+# Copyright (C) 2011    Vít Jonáš <vit.jonas@gmail.com>
+# Copyright (C) 2011-17 Karel Pičman <karel.picman@kontron.com>
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
@@ -23,9 +24,17 @@ class DmsfFilesCopyController < ApplicationController
 
   before_filter :find_file
   before_filter :authorize
+  before_filter :permissions
 
   helper :all
 
+  def permissions
+    if @file
+      render_403 unless DmsfFolder.permissions(@file.dmsf_folder)
+    end
+    true
+  end
+
   def new
     @target_project = DmsfFile.allowed_target_projects_on_copy.detect {|p| p.id.to_s == params[:target_project_id]} if params[:target_project_id]
     @target_project ||= @project if User.current.allowed_to?(:file_manipulation, @project)
@@ -112,8 +121,8 @@ private
   end
 
   def find_file
-    @file = DmsfFile.visible.find(params[:id])
-    @project = @file.project
+    @file = DmsfFile.visible.find_by_id params[:id]
+    @project = @file.project if @file
   end
 
 end

app/controllers/dmsf_folder_permissions_controller.rb

@@ -24,6 +24,12 @@ class DmsfFolderPermissionsController < ApplicationController
   before_filter :find_folder, :only => [:destroy]
   before_filter :find_project
   before_filter :authorize
+  before_filter :permissions
+
+  def permissions
+    render_403 unless DmsfFolder.permissions(@dmsf_folder)
+    true
+  end
 
   def new
     @users = users_for_new_users

app/controllers/dmsf_folders_copy_controller.rb

@@ -23,6 +23,12 @@ class DmsfFoldersCopyController < ApplicationController
 
   before_filter :find_folder
   before_filter :authorize
+  before_filter :permissions
+
+  def permissions
+    render_403 unless DmsfFolder.permissions(@folder)
+    true
+  end
 
   def new
     @target_project = DmsfFolder.allowed_target_projects_on_copy.detect {|p| p.id.to_s == params[:target_project_id]} if params[:target_project_id]
@@ -80,8 +86,8 @@ class DmsfFoldersCopyController < ApplicationController
   end
 
   def find_folder
-    @folder = DmsfFolder.visible.find(params[:id])
-    @project = @folder.project
+    @folder = DmsfFolder.visible.find_by_id(params[:id])
+    @project = @folder.project if @folder
   end
 
 end

app/controllers/dmsf_links_controller.rb

@@ -25,6 +25,14 @@ class DmsfLinksController < ApplicationController
   before_filter :find_model_object, :only => [:destroy, :restore]
   before_filter :find_link_project
   before_filter :authorize
+  before_filter :permissions
+
+  def permissions
+    if @dmsf_link
+      render_403 unless DmsfFolder.permissions(@dmsf_link.dmsf_folder)
+    end
+    true
+  end
 
   def initialize
     @dmsf_link = nil

app/controllers/dmsf_upload_controller.rb

@@ -28,12 +28,18 @@ class DmsfUploadController < ApplicationController
   before_filter :authorize, :except => [:upload, :delete_dmsf_attachment]
   before_filter :authorize_global, :only => [:upload, :delete_dmsf_attachment]
   before_filter :find_folder, :except => [:upload_file, :upload, :commit, :delete_dmsf_attachment]
+  before_filter :permissions, :except => [:upload_file, :upload, :commit, :delete_dmsf_attachment]
 
   helper :all
   helper :dmsf_workflows
 
   accept_api_auth :upload, :commit
 
+  def permissions
+    render_403 unless DmsfFolder.permissions(@folder)
+    true
+  end
+
   def upload_files
     uploaded_files = params[:dmsf_attachments]
     @uploads = []

app/controllers/dmsf_workflows_controller.rb

@@ -25,9 +25,18 @@ class DmsfWorkflowsController < ApplicationController
   before_filter :find_model_object, :except => [:create, :new, :index, :assign, :assignment]
   before_filter :find_project
   before_filter :authorize_custom
+  before_filter :permissions, :only => [:new_action, :assignment, :start]
 
   layout :workflows_layout
 
+  def permissions
+    revision = DmsfFileRevision.find_by_id params[:dmsf_file_revision_id] if params[:dmsf_file_revision_id].present?
+    if revision
+      render_403 unless revision.dmsf_file || DmsfFolder.permissions(revision.dmsf_file.dmsf_folder)
+    end
+    true
+  end
+
   def initialize
     @dmsf_workflow = nil
     @project = nil

app/views/dmsf_files/show.html.erb

@@ -29,33 +29,33 @@
     <% unless @file.locked_for_user? %>
       <% unless @file.locked? %>
         <%= link_to(l(:button_lock), lock_dmsf_files_path(:id => @file),
-          :title => l(:title_lock_file), :class => 'icon dmsf_icon-lock') %>
+          :title => l(:title_lock_file), :class => 'icon icon-lock') %>
       <% else %>
         <%= link_to_if(@file.unlockable?, l(:button_unlock), unlock_dmsf_files_path(:id => @file),
-          :title => l(:title_unlock_file), :class => 'icon dmsf_icon-unlock') %>
+          :title => l(:title_unlock_file), :class => 'icon icon-unlock') %>
       <% end %>
       <% if @file.notification %>
         <%= link_to(l(:label_notifications_off),
           notify_deactivate_dmsf_files_path(:id => @file),
           :title => l(:title_notifications_active_deactivate),
-          :class => 'icon dmsf_icon-notification-on') %>
+          :class => 'icon icon-email') %>
       <% else %>
         <%= link_to(l(:label_notifications_on),
           notify_activate_dmsf_files_path(:id => @file),
           :title => l(:title_notifications_not_active_activate),
-          :class => 'icon dmsf_icon-notification-off') %>
+          :class => 'icon icon-email-add') %>
       <% end %>
       <%= link_to(l(:label_link_to),
         new_dmsf_link_path(:project_id => @project.id, :dmsf_folder_id => @file.dmsf_folder ? @file.dmsf_folder.id : nil, :dmsf_file_id => @file.id, :type => 'link_to'),
         :title => l(:title_create_link),
-        :class => 'icon dmsf_icon-link') %>
+        :class => 'icon icon-link') %>
       <%= link_to("#{l(:button_copy)}/#{l(:button_move)}", copy_file_path(:id => @file),
         :title => l(:title_copy), :class => 'icon icon-copy') %>
       <%= delete_link(dmsf_file_path(:id => @file, :details => true)) if @file_delete_allowed %>
     <% else %>
       <% if User.current.allowed_to?(:force_file_unlock, @project) %>
         <%= link_to_if(@file.unlockable?, l(:button_unlock), unlock_dmsf_files_path(:id => @file),
-          :title => l(:title_unlock_file), :class => 'icon dmsf_icon-unlock')%>
+          :title => l(:title_unlock_file), :class => 'icon icon-unlock')%>
       <% end %>
     <% end %>
   <% end %>

test/unit/project_patch_test.rb

@@ -21,7 +21,7 @@
 require File.expand_path('../../test_helper', __FILE__)
 
 class ProjectPatchTest < RedmineDmsf::Test::UnitTest
-  fixtures :projects, :dmsf_files, :dmsf_file_revisions, :dmsf_links, :dmsf_folders, :dmsf_workflows
+  fixtures :projects, :dmsf_files, :dmsf_file_revisions, :dmsf_links, :dmsf_folders, :dmsf_workflows, :users
 
   def setup
     @project1 = Project.find_by_id 1