Module: Sufia::BatchUploadsControllerBehavior
- Extended by:
- ActiveSupport::Concern
- Includes:
- CurationConcerns::CurationConcernController, Hydra::Controller::ControllerBehavior
- Included in:
- BatchUploadsController
- Defined in:
- app/controllers/concerns/sufia/batch_uploads_controller_behavior.rb
Defined Under Namespace
Classes: BatchUploadFormService
Instance Method Summary collapse
-
#create ⇒ Object
The permissions to create a batch are not as important as the permissions for the concern being batched.
Instance Method Details
#create ⇒ Object
Note:
we don’t call ‘authorize!` directly, since `authorized_models` already checks `user.can? :create, …`
The permissions to create a batch are not as important as the permissions for the concern being batched.
16 17 18 19 20 21 22 23 24 25 26 |
# File 'app/controllers/concerns/sufia/batch_uploads_controller_behavior.rb', line 16 def create authenticate_user! unsafe_pc = params.fetch(:batch_upload_item, {})[:payload_concern] # Calling constantize on user params is disfavored (per brakeman), so we sanitize by matching it against an authorized model. safe_pc = Sufia::SelectTypeListPresenter.new(current_user)..map(&:to_s).find { |x| x == unsafe_pc } raise CanCan::AccessDenied, "Cannot create an object of class '#{unsafe_pc}'" unless safe_pc # authorize! :create, safe_pc create_update_job(safe_pc) flash[:notice] = t('sufia.works.create.after_create_html', application_name: view_context.application_name) redirect_after_update end |