Commit 232563c7af1eab1e0a327fcf8ce1e115327c7d7f
1 parent
e327934d
Exists in
api_tasks
Fixing permissions when target is not a person
Signed-off-by: André Bernardes <andrebsguedes@gmail.com> Signed-off-by: Hebert Douglas <hebertdougl@gmail.com>
Showing
1 changed file
with
2 additions
and
1 deletions
Show diff stats
lib/noosfero/api/helpers.rb
| ... | ... | @@ -112,7 +112,8 @@ module Noosfero |
| 112 | 112 | |
| 113 | 113 | def present_tasks(asset) |
| 114 | 114 | tasks = select_filtered_collection_of(asset, 'tasks', params) |
| 115 | - tasks = tasks.select {|t| t.display_to?(current_user.person)} | |
| 115 | + tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)} | |
| 116 | + return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset) | |
| 116 | 117 | present tasks, :with => Entities::Task, :fields => params[:fields] |
| 117 | 118 | end |
| 118 | 119 | ... | ... |