app/controllers/caboose/roles_controller.rb in caboose-cms-0.9.194 vs app/controllers/caboose/roles_controller.rb in caboose-cms-0.9.195

@@ -22,11 +22,11 @@
     end
     
     # @route GET /admin/roles/:id
     def edit
       return unless user_is_allowed('roles', 'edit')
-      @role = Role.find(params[:id])
+      @role = get_edit_role(params[:id], @site.id)
     end
     
     # @route POST /admin/roles
     def create
       return unless user_is_allowed('roles', 'add')
@@ -54,11 +54,11 @@
     # @route PUT /admin/roles/:id
     def update
       return unless user_is_allowed('roles', 'edit')
       
       resp = StdClass.new     
-      role = Role.find(params[:id])
+      role = get_edit_role(params[:id], @site.id)
       
       save = true
       params.each do |name,value|
         case name
     	  	when "name"
@@ -97,28 +97,30 @@
     end
     
     # @route DELETE /admin/roles/:id
     def destroy
       return unless user_is_allowed('roles', 'delete')
-      @role = Role.find(params[:id])
+      @role = get_edit_role(params[:id], @site.id)
       @role.destroy
       render json: { 'redirect' => '/admin/roles' }
     end
     
     # @route POST /admin/roles/:id/permissions/:permission_id
     def add_permission
       return if !user_is_allowed('roles', 'edit')
-      if !RolePermission.where(:role_id => params[:id], :permission_id => params[:permission_id], ).exists?
-        RolePermission.create(:role_id => params[:id], :permission_id => params[:permission_id])
+      role = get_edit_role(params[:id], @site.id)
+      if role && !RolePermission.where(:role_id => role.id, :permission_id => params[:permission_id], ).exists?
+        RolePermission.create(:role_id => role.id, :permission_id => params[:permission_id])
       end
       render :json => true
     end
     
     # @route DELETE /admin/roles/:id/permissions/:permission_id
     def remove_permission
       return if !user_is_allowed('roles', 'edit')
-      RolePermission.where(:role_id => params[:id], :permission_id => params[:permission_id]).destroy_all        
+      role = get_edit_role(params[:id], @site.id)
+      RolePermission.where(:role_id => role.id, :permission_id => params[:permission_id]).destroy_all if role      
       render :json => true
     end
     
     # @route_priority 1
     # @route GET /admin/roles/options
@@ -141,7 +143,18 @@
       role.children.each do |kid|
         arr += add_role_options(kid, level + 1)
       end
       return arr
     end
+
+
+    private
+
+    def get_edit_role(role_id, site_id)
+      role = Role.find(role_id)
+      return role if role && (role.site_id == site_id || logged_in_user.is_super_admin?)
+      return nil
+    end
+
+
   end
 end