Merge pull request #132 from getguesstimate/595-calculator-privacy-co…

…ntrols Calculators should match the privacy restrictions of their underlying spaces. Closes getguesstimate/guesstimate-app#595
getguesstimate · Jul 15, 2016 · 62703c6 · 62703c6
2 parents 45af73a + 7a4d339
commit 62703c6
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/app/controllers/calculators_controller.rb b/app/controllers/calculators_controller.rb
@@ -1,9 +1,9 @@
 class CalculatorsController < ApplicationController
-  before_action :authenticate, :set_space, :check_authorization, only: [:create]
+  before_action :authenticate, :set_space, :check_create_authorization, only: [:create]
+  before_action :set_calculator, :check_show_authorization, only: [:show]
 
   # GET /calculators/:id
   def show
-    @calculator = Calculator.find(params[:id])
     render json: CalculatorRepresenter.new(@calculator).to_json
   end
 
@@ -21,7 +21,15 @@ def set_space
     @space = Space.find(params[:space_id])
   end
 
-  def check_authorization
+  def set_calculator
+    @calculator = Calculator.find(params[:id])
+  end
+
+  def check_show_authorization
+    head :unauthorized unless @calculator.space.viewable_by_user? current_user
+  end
+
+  def check_create_authorization
     head :unauthorized unless @space.editable_by_user? current_user
   end
 

diff --git a/app/models/space.rb b/app/models/space.rb
@@ -94,6 +94,10 @@ def has_interesting_metrics?
     metrics.length > 3
   end
 
+  def viewable_by_user?(user)
+    is_public? || (user.present? && editable_by_user?(user))
+  end
+
   def editable_by_user?(user)
     if organization
       user.member_of?(organization)