diff options
author | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-08-09 01:03:41 +0300 |
---|---|---|
committer | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-08-17 18:58:59 +0300 |
commit | a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch) | |
tree | 6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /app/controllers/projects/boards_controller.rb | |
parent | 6113767045971abd3a279705f481c8e712660c88 (diff) |
Add authorization to issues board related controllers
Diffstat (limited to 'app/controllers/projects/boards_controller.rb')
-rw-r--r-- | app/controllers/projects/boards_controller.rb | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb index 50311acec32..301c718ad57 100644 --- a/app/controllers/projects/boards_controller.rb +++ b/app/controllers/projects/boards_controller.rb @@ -1,4 +1,6 @@ class Projects::BoardsController < Projects::ApplicationController + before_action :authorize_read_board!, only: [:show] + def show board = Boards::CreateService.new(project, current_user).execute @@ -7,4 +9,15 @@ class Projects::BoardsController < Projects::ApplicationController format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :color] } }) } end end + + private + + def authorize_read_board! + unless can?(current_user, :read_board, project) + respond_to do |format| + format.html { return access_denied! } + format.json { return render_403 } + end + end + end end |