Plugin Permissions Help

Added by Brigette Swan over 10 years ago

Some several months ago I posted a problem with the menus for a plugin I'm working on, along with some permission issues. Well, the project got put on hold as I was tasked with other things, but now it's back - so the problem is once again staring me in the face.

Now, I've learned some things about RoR since my last attempt, so I re-wrote the accursed thing from scratch, ripped out a bunch of excess, and even fixed my queries since they were subject to SQL injection before.

But I cannot for the life of me fix this one problem.

The plugin is a basic calendar for event recording and emailing and so forth. It uses an existing helper library type of thing, so it's not like I even wrote all that much - I want to get it working properly before I go mucking around with extending functionality. And it works fine, records events, sends email, displays lists, everything it's supposed to.

Except the permissions. I know they're totally mucked up, but I don't know how. I followed the tutorials and looked at otherp plugins, but no go.

Basically, the project module tab is turned on and off by the settings options like it should - but if you know the URL, the calendar still exists and can be accessed. I have some link_to_if_authorized links, which never appear, even logged in as an admin, but even as a not-permitted anonymous login, I can still navigate straight to the URL (knowing it in advance) and adding, editing, and deleting things. So I'm in one extreme or the other here, it seems like.

Here's the helpful stuff!

Ruby 1.8.7 (2009-12-24 patchlevel 248) [x86_64-linux]
Rails 2.3.5
RHEL5 OS
Mongrel Web Server 1.1.5
Redmine 0.9-stable

init.rb

require 'redmine'
require 'calendar_helper'

Redmine::Plugin.register :redmine_ical do
  name 'Redmine Plugin'
  author '...'
  description '...'
  version '0.0.1'

  project_module :ical do
    permission :view_ical, {:cal_basic => [:index, :show, :list]}, :public => true
    permission :edit_ical, {:cal_basic => :edit}
    permission :new_ical, {:cal_basic => :new}
    permission :destroy_ical, {:cal_basic => :destroy}
  end

  menu :project_menu, "Calendar", {:controller => 'cal_basic', :action => 'index'},
    :param => :id

  # Routes
  class << ActionController::Routing::Routes;self;end.class_eval do
    define_method :clear!, lambda {}
  end

  ActionController::Routing::Routes.draw do |map|
    map.cal_index_spec 'ical/index/:id/:year/:month', :controller => 'cal_basic', :action => 'index'
    map.cal_index_main 'ical/index/:id', :controller => 'cal_basic', :action => 'index'
    map.cal_new 'ical/new/:id', :controller => 'cal_basic', :action => 'new'
    map.cal_list_day 'ical/list/:id/:year/:month/:day', :controller => 'cal_basic', :action => 'list'
    map.cal_list_month 'ical/list/:id/:year/:month', :controller => 'cal_basic', :action => 'list'
    map.cal_list_year 'ical/list/:id/:year', :controller => 'cal_basic', :action => 'list'
    map.cal_show 'ical/show/:id', :controller => 'cal_basic', :action => 'show'
    map.cal_edit 'ical/edit/:id', :controller => 'cal_basic', :action => 'edit'
  end
end

cal_basic_controller.rb

class CalBasicController < ApplicationController

  unloadable

  before_filter :find_project, :authorize, :only => [:new, :index, :list]
  before_filter :find_event, :only => [:show]
  before_filter :find_event, :authorize, :only => [:edit, :destroy]

  helper :calendar

The controller is truncated for space, though if you need to see the whole thing, let me know. the actions are:
index: Shows the main page, with the month and year navigation menus and the current month as a calendar.
list: Gives a text list of all the events in the designated day/month/year.
show: Shows a single event and all its details, like start and stop time, description, etc.
new, edit, destroy: Does the appropriate action for the events.

Incidently, adding this line as the first before_filter:
before_filter :find_project, :only => [:index, :list]
And subsequently removing those two from the one below it apparently locks everything out and gives me much 404 love. (Yes, the module is turned on in this case, if it were turned off that would be a better sign.)

Input appreciated, and if you need other files, just ask. I'm just hoping someone can find whatever it is that I missed or mucked up.

Thanks!