Implement the new security mechanism

author: Luke Shumaker <shumakl@purdue.edu> 2014-04-04 20:35:16 -0400
committer: Luke Shumaker <shumakl@purdue.edu> 2014-04-04 20:35:16 -0400
commit: bcfa571b0328a4b3e94479a31c027621ceb86ad5 (patch)
tree: ac662a6e8e6be36b311652520b8bcc2a1511741d /app/controllers/alerts_controller.rb
parent: d6009eddd6f67a9414ff7d707ae82c053e6653ad (diff)
1 files changed, 3 insertions, 10 deletions
diff --git a/app/controllers/alerts_controller.rb b/app/controllers/alerts_controller.rb
index d2b1558..333022a 100644
--- a/app/controllers/alerts_controller.rb
+++ b/app/controllers/alerts_controller.rb
@@ -1,7 +1,4 @@
 class AlertsController < ApplicationController
-	before_action :set_alert, only: [:show, :edit, :update, :destroy]
-	before_action :check_perms, only: [:new, :create, :edit, :update, :destroy]
-
 	# GET /alerts
 	# GET /alerts.json
 	def index
@@ -63,18 +60,14 @@ class AlertsController < ApplicationController
 	end
 
 	private
+
 	# Use callbacks to share common setup or constraints between actions.
 	def set_alert
 		@alert = Alert.find(params[:id])
 	end
 
-	def check_perms
-		unless (signed_in? and (current_user.in_group?(:admin) or current_user.in_group?(:host)))
-			respond_to do |format|
-				format.html { render action: 'permission_denied', status: :forbidden }
-				format.json { render json: "Permission denied", status: :forbidden }
-			end
-		end
+	def is_owner?(object)
+		object.author == current_user
 	end
 
 	# Never trust parameters from the scary internet, only allow the white list through.
author	Luke Shumaker <shumakl@purdue.edu>	2014-04-04 20:35:16 -0400
committer	Luke Shumaker <shumakl@purdue.edu>	2014-04-04 20:35:16 -0400
commit	bcfa571b0328a4b3e94479a31c027621ceb86ad5 (patch)
tree	ac662a6e8e6be36b311652520b8bcc2a1511741d /app/controllers/alerts_controller.rb
parent	d6009eddd6f67a9414ff7d707ae82c053e6653ad (diff)