diff --git a/app/controllers/submissions_resend_email_controller.rb b/app/controllers/submissions_resend_email_controller.rb index 82d10797..a68c7ad4 100644 --- a/app/controllers/submissions_resend_email_controller.rb +++ b/app/controllers/submissions_resend_email_controller.rb @@ -5,6 +5,7 @@ class SubmissionsResendEmailController < ApplicationController before_action do authorize!(:manage, :resend_all) + authorize!(:update, @submission) end def create diff --git a/app/controllers/submissions_unarchive_controller.rb b/app/controllers/submissions_unarchive_controller.rb index 5a60a60b..8bd320a6 100644 --- a/app/controllers/submissions_unarchive_controller.rb +++ b/app/controllers/submissions_unarchive_controller.rb @@ -4,6 +4,8 @@ class SubmissionsUnarchiveController < ApplicationController load_and_authorize_resource :submission def create + authorize!(:update, @submission) + @submission.update!(archived_at: nil) redirect_to submission_path(@submission), notice: I18n.t('submission_has_been_unarchived') diff --git a/app/controllers/submitters_send_email_controller.rb b/app/controllers/submitters_send_email_controller.rb index 51c7c1b7..f616c976 100644 --- a/app/controllers/submitters_send_email_controller.rb +++ b/app/controllers/submitters_send_email_controller.rb @@ -4,6 +4,8 @@ class SubmittersSendEmailController < ApplicationController load_and_authorize_resource :submitter def create + authorize!(:update, @submitter) + if Docuseal.multitenant? && SubmissionEvent.exists?(submitter: @submitter, event_type: 'send_email', created_at: 10.hours.ago..Time.current) diff --git a/app/controllers/template_documents_controller.rb b/app/controllers/template_documents_controller.rb index db8ba66c..fafa6c14 100644 --- a/app/controllers/template_documents_controller.rb +++ b/app/controllers/template_documents_controller.rb @@ -10,6 +10,8 @@ class TemplateDocumentsController < ApplicationController end def create + authorize!(:update, @template) + if params[:blobs].blank? && params[:files].blank? return render json: { error: I18n.t('file_is_missing') }, status: :unprocessable_content end diff --git a/app/controllers/templates_clone_and_replace_controller.rb b/app/controllers/templates_clone_and_replace_controller.rb index de64d86d..015d1830 100644 --- a/app/controllers/templates_clone_and_replace_controller.rb +++ b/app/controllers/templates_clone_and_replace_controller.rb @@ -13,6 +13,9 @@ class TemplatesCloneAndReplaceController < ApplicationController cloned_template = Templates::Clone.call(@template, author: current_user) cloned_template.name = File.basename(params[:files].first.original_filename, '.*') + + authorize!(:create, cloned_template) + cloned_template.save! documents = Templates::ReplaceAttachments.call(cloned_template, params, extract_fields: true) diff --git a/app/controllers/templates_folders_controller.rb b/app/controllers/templates_folders_controller.rb index 3e83023a..05ee62d8 100644 --- a/app/controllers/templates_folders_controller.rb +++ b/app/controllers/templates_folders_controller.rb @@ -6,6 +6,8 @@ class TemplatesFoldersController < ApplicationController def edit; end def update + authorize!(:update, @template) + name = [params[:parent_name], params[:name]].compact_blank.join(' / ') @template.folder = TemplateFolders.find_or_create_by_name(current_user, name) diff --git a/app/controllers/templates_restore_controller.rb b/app/controllers/templates_restore_controller.rb index d6d0505e..422b69cf 100644 --- a/app/controllers/templates_restore_controller.rb +++ b/app/controllers/templates_restore_controller.rb @@ -4,6 +4,8 @@ class TemplatesRestoreController < ApplicationController load_and_authorize_resource :template def create + authorize!(:update, @template) + @template.update!(archived_at: nil) WebhookUrls.enqueue_events(@template, 'template.updated')