Per project protection

This commit is contained in:
Dmitriy Zaporozhets 2013-02-15 09:51:21 +02:00
parent 4821aa6c25
commit f6cc71bc36

View file

@ -1,7 +1,13 @@
class FilesController < ApplicationController
def download
uploader = Note.find(params[:id]).attachment
note = Note.find(params[:id])
if can?(current_user, :read_project, note.project)
uploader = note.attachment
send_file uploader.file.path, disposition: 'attachment'
else
not_found!
end
end
end