From 5b822a9501b503c4fe19aed86c38c8db59b5ebf0 Mon Sep 17 00:00:00 2001 From: rulingcom Date: Fri, 5 Jun 2026 05:32:25 +0000 Subject: [PATCH] Fixd Category Authorization Permissions --- app/controllers/admin/seminar_signups_controller.rb | 10 +++++++++- app/controllers/admin/seminars_controller.rb | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin/seminar_signups_controller.rb b/app/controllers/admin/seminar_signups_controller.rb index 9e640f4..53ac047 100644 --- a/app/controllers/admin/seminar_signups_controller.rb +++ b/app/controllers/admin/seminar_signups_controller.rb @@ -3,18 +3,26 @@ class Admin::SeminarSignupsController < OrbitAdminController include Admin::SeminarsHelper before_action ->(module_app = @app_title) { set_variables module_app } before_action :check_manager_for_seminar + skip_before_action :check_for_nil_categories def initialize super @app_title = "seminar" end def check_manager_for_seminar OrbitHelper.set_params(params,current_user) + OrbitHelper.set_this_module_app("seminar") access_level = OrbitHelper.user_access_level? - if (access_level.nil? || access_level == "user") || access_level == "sub_manager" + if access_level.nil? || access_level == "user" @seminar = SeminarSignup.find(params[:id]).seminar_main rescue nil if (@seminar.organizer_id != current_user.member_profile_id rescue true) render_401 end + elsif access_level == "sub_manager" + @seminar = SeminarSignup.find(params[:id]).seminar_main rescue nil + approved_category_ids = current_user.approved_categories.collect{|c| c.id} + unless approved_category_ids.include?(@seminar.category_id) || (@seminar.organizer_id == current_user.member_profile_id rescue false) + render_401 + end end end def edit diff --git a/app/controllers/admin/seminars_controller.rb b/app/controllers/admin/seminars_controller.rb index 6668603..d2591ce 100644 --- a/app/controllers/admin/seminars_controller.rb +++ b/app/controllers/admin/seminars_controller.rb @@ -624,7 +624,7 @@ class Admin::SeminarsController < OrbitAdminController if @access_level == "user" || @access_level.nil? @can_edit = false elsif @access_level == "sub_manager" - @can_edit = false + @can_edit = can_edit_or_delete?(@seminar) end unless @can_edit @can_edit = (@seminar.organizer_id == current_user.member_profile_id rescue false)