From 335670167123f6824bcc3d28449ed31bc12be5d0 Mon Sep 17 00:00:00 2001 From: Justin Edmund Date: Wed, 11 Oct 2023 11:25:02 +0900 Subject: [PATCH] Fix not_owner method (#136) --- app/controllers/api/v1/parties_controller.rb | 28 +++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v1/parties_controller.rb b/app/controllers/api/v1/parties_controller.rb index 66b4dc1..97dbc33 100644 --- a/app/controllers/api/v1/parties_controller.rb +++ b/app/controllers/api/v1/parties_controller.rb @@ -109,11 +109,27 @@ module Api private def authorize - render_unauthorized_response if (not_owner && !admin_mode) || (@party.edit_key != edit_key && !admin_mode) + return unless not_owner && !admin_mode + + render_unauthorized_response end def not_owner - current_user && @party.user != current_user + if @party.user + # party has a user and current_user does not match + return true if current_user != @party.user + + # party has a user, there's no current_user, but edit_key is provided + return true if current_user.nil? && edit_key + else + # party has no user, there's no current_user and there's no edit_key provided + return true if current_user.nil? && edit_key.nil? + + # party has no user, there's no current_user, and the party's edit_key doesn't match the provided edit_key + return true if current_user.nil? && @party.edit_key != edit_key + end + + false end def build_filters @@ -263,7 +279,9 @@ module Api end def user_quality - 'user_id IS NOT NULL' unless request.params[:user_quality].blank? || request.params[:user_quality] == 'false' + return if request.params[:user_quality].blank? || request.params[:user_quality] == 'false' + + 'user_id IS NOT NULL' end def name_quality @@ -290,7 +308,9 @@ module Api end def original - 'source_party_id IS NULL' unless request.params['original'].blank? || request.params['original'] == 'false' + return if request.params['original'].blank? || request.params['original'] == 'false' + + 'source_party_id IS NULL' end def id_to_table(id)