app/controllers/cms/sections_controller.rb in browsercms-3.0.2 vs app/controllers/cms/sections_controller.rb in browsercms-3.0.3

@@ -1,8 +1,9 @@
 class Cms::SectionsController < Cms::BaseController
 
   before_filter :load_parent, :only => [:new, :create]
+  before_filter :load_section, :only => [:edit, :update, :destroy, :move]
   before_filter :set_toolbar_tab
   
   helper_method :public_groups
   helper_method :cms_groups
 
@@ -14,41 +15,40 @@
     redirect_to cms_sitemap_path
   end
   
   def new
     @section = @parent.sections.build
-    @section.groups = public_groups + cms_groups
+    @section.groups = @parent.groups
   end
   
   def create
     @section = Section.new(params[:section])
     @section.parent = @parent
+    @section.groups = @section.parent.groups unless current_user.able_to?(:administrate)
     if @section.save
       flash[:notice] = "Section '#{@section.name}' was created"
       redirect_to [:cms, @section]
     else
       render :action => 'new'
     end    
   end
 
   def edit
-    @section = Section.find(params[:id])
-    raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
   end
   
   def update
-    @section = Section.find(params[:id])
-    if @section.update_attributes(params[:section])
+    params[:section].delete('group_ids') if params[:section] &&  !current_user.able_to?(:administrate)
+    @section.attributes = params[:section]
+    if @section.save
       flash[:notice] = "Section '#{@section.name}' was updated"
       redirect_to [:cms, @section]
     else
       render :action => 'edit'
     end      
   end
   
   def destroy
-    @section = Section.find(params[:id])  
     respond_to do |format|
       if @section.deletable? && @section.destroy
         message = "Section '#{@section.name}' was deleted."
         format.html { flash[:notice] = message; redirect_to(cms_sitemap_url) }
         format.json { render :json => {:success => true, :message => message } }
@@ -59,11 +59,10 @@
       end
     end
   end  
   
   def move
-    @section = Section.find(params[:id])
     if params[:section_id]
       @move_to = Section.find(params[:section_id])
     else
       @move_to = Section.root.first
     end
@@ -79,9 +78,15 @@
   end
   
   protected
     def load_parent
       @parent = Section.find(params[:section_id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@parent)
+    end
+
+    def load_section
+      @section = Section.find(params[:id])
+      raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@section)
     end
 
     def handle_file_browser_upload
       begin
         case params[:Type].downcase