diff --git a/app/controllers/learning_objects_controller.rb b/app/controllers/learning_objects_controller.rb
index 8d07a5834fdb6d64ae8aeb34e320b2e634427ff5..520da4ce710adbf2d3b1f119be4234cb893dab94 100644
--- a/app/controllers/learning_objects_controller.rb
+++ b/app/controllers/learning_objects_controller.rb
@@ -12,11 +12,11 @@ class LearningObjectsController < ApplicationController
:collections, :upload, :upload_link, :download,
:user_not_authorized]
after_action :increment_learning_object_views, only: [:show]
+ before_action :authorize_action
# GET /learning_objects/1
# GET /learning_objects/1.json
def show
- authorize @learning_object
@liked = !@learning_object.liked?(current_user) if user_signed_in?
@reviews = Review.where(reviewable: @learning_object)
end
@@ -135,4 +135,9 @@ class LearningObjectsController < ApplicationController
redirect_to (root_path)
end
+ def authorize_action
+ @learning_object ||= LearningObject.new
+ authorize @learning_object
+ end
+
end
diff --git a/app/policies/learning_object_policy.rb b/app/policies/learning_object_policy.rb
index f5829e1d918af8a1f64728e5d0c87c9ba920a450..9f55e961b2d5964ad1b3d7e22f1a12eeb5c007cb 100644
--- a/app/policies/learning_object_policy.rb
+++ b/app/policies/learning_object_policy.rb
@@ -11,6 +11,18 @@ class LearningObjectPolicy < ApplicationPolicy
end
end
+ def create?
+ record unless user.nil?
+ end
+
+ def update?
+ record if user_authorized?
+ end
+
+ def destroy?
+ record if user_authorized?
+ end
+
def show?
if user.nil?
record.state == 'published'
@@ -20,4 +32,17 @@ class LearningObjectPolicy < ApplicationPolicy
record.state == 'published'
end
end
+
+ private
+
+ def user_authorized?
+ return false if user.nil?
+ return true if user.is_admin?
+
+ if record.publisher.is_a? Institution
+ record.publisher.users.include? user
+ else
+ record.publisher == user
+ end
+ end
end