Add authorization to issues board related controllers

author: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-08-09 01:03:41 +0300
committer: Douglas Barbosa Alexandre <dbalexandre@gmail.com> 2016-08-17 18:58:59 +0300
commit: a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch)
tree: 6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /app/controllers/projects/boards_controller.rb
parent: 6113767045971abd3a279705f481c8e712660c88 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/app/controllers/projects/boards_controller.rb b/app/controllers/projects/boards_controller.rb
index 50311acec32..301c718ad57 100644
--- a/app/controllers/projects/boards_controller.rb
+++ b/app/controllers/projects/boards_controller.rb
@@ -1,4 +1,6 @@
 class Projects::BoardsController < Projects::ApplicationController
+  before_action :authorize_read_board!, only: [:show]
+
   def show
     board = Boards::CreateService.new(project, current_user).execute
 
@@ -7,4 +9,15 @@ class Projects::BoardsController < Projects::ApplicationController
       format.json { render json: board.lists.as_json(only: [:id, :list_type, :position], methods: [:title], include: { label: { only: [:id, :title, :color] } }) }
     end
   end
+
+  private
+
+  def authorize_read_board!
+    unless can?(current_user, :read_board, project)
+      respond_to do |format|
+        format.html { return access_denied! }
+        format.json { return render_403 }
+      end
+    end
+  end
 end
author	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-08-09 01:03:41 +0300
committer	Douglas Barbosa Alexandre <dbalexandre@gmail.com>	2016-08-17 18:58:59 +0300
commit	a8b1ad250e1ebc1c1e835399ccd010b223108a1d (patch)
tree	6d863ac30dcc7db0238ad5b6c3f82988b7bc1029 /app/controllers/projects/boards_controller.rb
parent	6113767045971abd3a279705f481c8e712660c88 (diff)