search

hpi-swt2 / sport-portal

Manage and organize sport events and sports leagues
GNU General Public License v3.0
18 stars 7 forks source link

Event abilities are neither configured nor used #159

Open fpottbaecker opened 6 years ago

fpottbaecker commented 6 years ago

PR #142 introduced event organizers, users that created an event and are able to edit it.

This is done by not rendering the form if the user cannot edit the event. Of course, any malicious user might still manually post to the correct url, event thought he does not have permission to do so.

Also a user that is not signed in can still create an event, which causes this error. Because the current_user, which is nil when no user is signed in, is added to the editors collection, which results in the mentioned error.

As a solution, only logged in user should be allow to create events, and only editors of an event should be allowed to edit events. This should be expressed in the models/ability.rb from cancancan.

Additionally the event controller should have a load_and_authorize_resource ... line comparable to the one in the users controller.

fpottbaecker commented 6 years ago

@pawelsoundso, @jacobfreise: Since you authored the PR, could you fix this?

jacobfreise commented 6 years ago

yes, I'm already working on it. Will be fixed soon.