Fixing permissions when target is not a person

Signed-off-by: André Bernardes <andrebsguedes@gmail.com> Signed-off-by: Hebert Douglas <hebertdougl@gmail.com>

Fixing permissions when target is not a person
Signed-off-by: André Bernardes <andrebsguedes@gmail.com> Signed-off-by: Hebert Douglas <hebertdougl@gmail.com>
André Guedes
1 parent e327934d
Showing 1 changed file with 2 additions and 1 deletions Show diff stats
lib/noosfero/api/helpers.rb
@@ -112,7 +112,8 @@ module Noosfero
       def present_tasks(asset)
         tasks = select_filtered_collection_of(asset, 'tasks', params)
-        tasks = tasks.select {|t| t.display_to?(current_user.person)}
+        tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+        return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
         present tasks, :with => Entities::Task, :fields => params[:fields]
       end
	@@ -112,7 +112,8 @@ module Noosfero		@@ -112,7 +112,8 @@ module Noosfero
112		112
113	def present_tasks(asset)	113	def present_tasks(asset)
114	tasks = select_filtered_collection_of(asset, 'tasks', params)	114	tasks = select_filtered_collection_of(asset, 'tasks', params)
115	- tasks = tasks.select {\|t\| t.display_to?(current_user.person)}	115	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
		116	+ return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
116	present tasks, :with => Entities::Task, :fields => params[:fields]	117	present tasks, :with => Entities::Task, :fields => params[:fields]
117	end	118	end
118		119