Per project protection

2013-02-15 09:51:21 +02:00 · 2013-02-15 09:51:21 +02:00 · f6cc71bc36
parent 4821aa6c25
commit f6cc71bc36
1 changed files with 8 additions and 2 deletions
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@ -1,7 +1,13 @@
 class FilesController < ApplicationController
  def download
-    uploader = Note.find(params[:id]).attachment
+    note = Note.find(params[:id])
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
  end
 end