fixed 附件下载权限

2022-11-15 17:12:10 +08:00 · 2022-11-15 17:12:10 +08:00 · a1731f91a9
parent ea7cf1cd1f
commit a1731f91a9
1 changed files with 10 additions and 13 deletions
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@ -213,20 +213,17 @@ class AttachmentsController < ApplicationController
  def attachment_candown
    unless current_user.admin? || current_user.business?
      candown = true
-      unless params[:type] == 'history'
-        if @file.container && current_user.logged?
-          if @file.container.is_a?(Issue)
-            course = @file.container.project
-            candown = course.member?(current_user) || course.is_public
-          elsif @file.container.is_a?(Journal)
-            course = @file.container.issue.project
-            candown = course.member?(current_user) || course.is_public
-          else
-            course = nil
-          end
-          tip_exception(403, "您没有权限进入") if course.present? && !candown
-          tip_exception(403, "您没有权限进入") if @file.container.is_a?(ApplyUserAuthentication)
+      if @file.container
+        if @file.container.is_a?(Issue)
+          project = @file.container.project
+          candown = project.is_public || (current_user.logged? && project.member?(current_user))
+        elsif @file.container.is_a?(Journal)
+          project = @file.container.issue.project
+          candown = project.is_public || (current_user.logged? && project.member?(current_user))
+        else
+          project = nil
        end
+        tip_exception(403, "您没有权限进入") if project.present? && !candown
      end
    end
  end