From f959591c62d7e66454f676d9c2a9abdd6fac3a7f Mon Sep 17 00:00:00 2001
From: Luke Shumaker <LukeShu@sbcglobal.net>
Date: Thu, 6 Mar 2014 22:35:35 -0500
Subject: TournamentsController: add stricter host access control

---
 app/controllers/tournaments_controller.rb | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/app/controllers/tournaments_controller.rb b/app/controllers/tournaments_controller.rb
index 386a6a4..7c93346 100644
--- a/app/controllers/tournaments_controller.rb
+++ b/app/controllers/tournaments_controller.rb
@@ -1,6 +1,8 @@
 class TournamentsController < ApplicationController
-  before_action :set_tournament, only: [:show, :edit, :update, :destroy, :join]
-  before_action :check_perms, only: [:new, :create, :edit, :destroy]
+  # put #update in with before_show, because in special cases the
+  # permissions are relaxed, so we do that right in the #update method
+  before_action :before_show, only: [:show, :update]
+  before_action :before_edit, only: [:new, :create, :edit, :destroy]
 
   # GET /tournaments
   # GET /tournaments.json
@@ -46,9 +48,8 @@ class TournamentsController < ApplicationController
   # PATCH/PUT /tournaments/1
   # PATCH/PUT /tournaments/1.json
   def update
-  	
     if params[:update_action].nil?
-      check_perms
+      before_edit
       respond_to do |format|
         if @tournament.update(tournament_params)
           format.html { redirect_to @tournament, notice: 'Tournament was successfully updated.' }
@@ -103,18 +104,19 @@ class TournamentsController < ApplicationController
 
   private
     # Use callbacks to share common setup or constraints between actions.
-    def set_tournament
+    def before_show
       @tournament = Tournament.find(params[:id])
     end
 
-	def check_perms
-  		unless (signed_in? and current_user.in_group?(:host))
-  			respond_to do |format|
-  				format.html { render action: 'permission_denied', status: :forbidden }
-  				format.json { render json: "Permission denied", status: :forbidden }
-  			end
-  		end
-  	end
+    def before_edit
+      @tournament = Tournament.find(params[:id])
+      unless (signed_in? and (@tournament.hosts.include?(current_user) or current_user.in_group?(:admin)))
+        respond_to do |format|
+          format.html { render action: 'permission_denied', status: :forbidden }
+          format.json { render json: "Permission denied", status: :forbidden }
+        end
+      end
+    end
 
     # Never trust parameters from the scary internet, only allow the white list through.
     def tournament_params
-- 
cgit v1.2.3-54-g00ecf