add checking of users permitions in taggable_controller

8d91943d · Lucas Gabriel Lima · c73afe12 · 8d91943d
Commit 8d91943d authored 8 years ago by Lucas Gabriel Lima
--- a/app/controllers/concerns/taggable_controller.rb
+++ b/app/controllers/concerns/taggable_controller.rb
@@ -3,19 +3,20 @@ module TaggableController
  included do
    before_action :authenticate_user!, only: [:tagging, :untagging]
+    before_action :set_owner, only: [:tagging, :untagging]
  end
  # POST /v1/learning_objects/1/tagging
  # POST /v1/learning_objects/1/tagging.json
  def tagging
-    current_user.tag(taggable, with: [tag_params[:name]])
+    @owner.tag(taggable, with: [tag_params[:name]])
    render json: taggable, status: :created
  end
  # DELETE /v1/learning_objects/1/untagging
  # DELETE /v1/learning_objects/1/untagging.json
  def untagging
-    current_user.untag(taggable, tag_params[:name])
+    @owner.untag(taggable, tag_params[:name])
    render json: taggable, status: :ok
  end
@@ -26,7 +27,21 @@ module TaggableController
  end
  def tag_params
-    params.require(:tag).permit(:name)
+    params.require(:tag).permit(:name, :owner_id, :owner_type)
+  end
+  def set_owner
+    if current_user.is_admin?
+      @owner = tag_params[:owner_type].constantize.find(tag_params[:owner_id])
+    else
+      if tag_params[:owner_type] == 'Institution'
+        if Institution.find(tag_params[:owner_id]).users.include? current_user
+          @owner = Institution.find(tag_params[:owner_id])
+        end
+      else
+        @owner = current_user
+      end
+    end
  end
 end