Reject non-owned projects to assign to teams

author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-01-24 16:15:14 +0400
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-01-25 00:31:49 +0400
commit: 7403afea9748316b78242ecb250f619fe1a15b36 (patch)
tree: a85f2c26568adde4d9477f466fa2763a7f3bf0a5 /app
parent: b4967b3703e1d520dd520f4bb7196ba3ecc302e9 (diff)
1 files changed, 12 insertions, 6 deletions
diff --git a/app/controllers/teams/projects_controller.rb b/app/controllers/teams/projects_controller.rb
index 9e9cd9f5f57..f5729351508 100644
--- a/app/controllers/teams/projects_controller.rb
+++ b/app/controllers/teams/projects_controller.rb
@@ -16,13 +16,19 @@ class Teams::ProjectsController < Teams::ApplicationController
   end
 
   def create
-    unless params[:project_ids].blank?
-      project_ids = params[:project_ids]
-      access = params[:greatest_project_access]
-      user_team.assign_to_projects(project_ids, access)
-    end
+    redirect_to :back if params[:project_ids].blank?
+
+    project_ids = params[:project_ids]
+    access = params[:greatest_project_access]
+
+    # Reject non-allowed projects
+    allowed_project_ids = current_user.owned_projects.map(&:id)
+    project_ids.select! { |id| allowed_project_ids.include?(id) }
+
+    # Assign projects to team
+    user_team.assign_to_projects(project_ids, access)
 
-    redirect_to team_projects_path(user_team), notice: 'Team of users was successfully assgned to projects.'
+    redirect_to team_projects_path(user_team), notice: 'Team of users was successfully assigned to projects.'
   end
 
   def edit
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-01-24 16:15:14 +0400
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2013-01-25 00:31:49 +0400
commit	7403afea9748316b78242ecb250f619fe1a15b36 (patch)
tree	a85f2c26568adde4d9477f466fa2763a7f3bf0a5 /app
parent	b4967b3703e1d520dd520f4bb7196ba3ecc302e9 (diff)