homelab/docuseal
1
0
Fork 0
mirror of https://github.com/docusealco/docuseal.git synced 2026-06-23 04:10:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

add authorization checks

Browse Source
This commit is contained in:
Pete Matsyburka
2026-05-15 18:55:03 +03:00
parent 755decca27
commit e52830c9b4
7 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/submissions_resend_email_controller.rb
+1
View File
@@ -5,6 +5,7 @@ class SubmissionsResendEmailController < ApplicationController
before_action do
authorize!(:manage, :resend_all)
authorize!(:update, @submission)
end
def create
app/controllers/submissions_unarchive_controller.rb
+2
View File
@@ -4,6 +4,8 @@ class SubmissionsUnarchiveController < ApplicationController
load_and_authorize_resource :submission
def create
authorize!(:update, @submission)
@submission.update!(archived_at: nil)
redirect_to submission_path(@submission), notice: I18n.t('submission_has_been_unarchived')
app/controllers/submitters_send_email_controller.rb
+2
View File
@@ -4,6 +4,8 @@ class SubmittersSendEmailController < ApplicationController
load_and_authorize_resource :submitter
def create
authorize!(:update, @submitter)
if Docuseal.multitenant? && SubmissionEvent.exists?(submitter: @submitter,
event_type: 'send_email',
created_at: 10.hours.ago..Time.current)
app/controllers/template_documents_controller.rb
+2
View File
@@ -10,6 +10,8 @@ class TemplateDocumentsController < ApplicationController
end
def create
authorize!(:update, @template)
if params[:blobs].blank? && params[:files].blank?
return render json: { error: I18n.t('file_is_missing') }, status: :unprocessable_content
end
app/controllers/templates_clone_and_replace_controller.rb
+3
View File
@@ -13,6 +13,9 @@ class TemplatesCloneAndReplaceController < ApplicationController
cloned_template = Templates::Clone.call(@template, author: current_user)
cloned_template.name = File.basename(params[:files].first.original_filename, '.*')
authorize!(:create, cloned_template)
cloned_template.save!
documents = Templates::ReplaceAttachments.call(cloned_template, params, extract_fields: true)
app/controllers/templates_folders_controller.rb
+2
View File
@@ -6,6 +6,8 @@ class TemplatesFoldersController < ApplicationController
def edit; end
def update
authorize!(:update, @template)
name = [params[:parent_name], params[:name]].compact_blank.join(' / ')
@template.folder = TemplateFolders.find_or_create_by_name(current_user, name)
app/controllers/templates_restore_controller.rb
+2
View File
@@ -4,6 +4,8 @@ class TemplatesRestoreController < ApplicationController
load_and_authorize_resource :template
def create
authorize!(:update, @template)
@template.update!(archived_at: nil)
WebhookUrls.enqueue_events(@template, 'template.updated')