Only allow admins to change course editors (#610)

* whitelist editor_ids as parameter only for admins * add helpdesk informing about inability to change editors * remove unnecessry hash brackets * fix typos * put hash in one line * remove obsolete parameter * add helpdesk to cSpell
MaMpf-HD · Apr 9, 2024 · 518de4e · 518de4e
1 parent 1e6d953
commit 518de4e
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 7 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -89,6 +89,7 @@
     //////////////////////////////////////
     "cSpell.words": [
         "commontator",
+        "helpdesk",
         "turbolinks"
     ]
 }
diff --git a/app/controllers/courses_controller.rb b/app/controllers/courses_controller.rb
@@ -94,13 +94,12 @@ def set_course_admin
     end
 
     def course_params
-      params.require(:course).permit(:title, :short_title, :organizational,
-                                     :organizational_concept, :locale,
-                                     :term_independent, :image,
-                                     tag_ids: [],
-                                     preceding_course_ids: [],
-                                     editor_ids: [],
-                                     division_ids: [])
+      allowed_params = [:title, :short_title, :organizational,
+                        :organizational_concept, :locale,
+                        :term_independent, :image,
+                        { tag_ids: [], preceding_course_ids: [], division_ids: [] }]
+      allowed_params.push(editor_ids: []) if current_user.admin?
+      params.require(:course).permit(allowed_params)
     end
 
     def tag_params

diff --git a/app/views/courses/_basics.html.erb b/app/views/courses/_basics.html.erb
@@ -70,6 +70,9 @@
     </div>
   <% else %>
     <%= t('basics.editors') %>
+    <%= helpdesk(t('admin.course.info.no_right_to_change_editors',
+                   project_email: mail_to(DefaultSetting::PROJECT_EMAIL)),
+                 true) %>
     <ul>
       <% course.editors.each do |e| %>
         <li>

diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -807,6 +807,10 @@ de:
           das Modul bearbeiten, insbesondere können sie Veranstaltungen innerhalb
           des Moduls anlegen. ModuleditorInnen erben die Bearbeitungsrechte für
           alle Veranstaltungen innerhalb des Moduls.
+        no_right_to_change_editors: >
+          ModuleditorInnen können nur von AdministratorInnen geändert werden.
+          Bitte wende Dich per Email an %{project_email}, wenn hier
+          eine Änderung vorgenommen werden soll.
         preceding_courses: >
           Hier kannst Du angeben, auf welchen Modulen das
           vorliegende Modul aufbaut.

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -772,6 +772,10 @@ en:
           in particular they can create event series within the course. Every course
           editor inherits editing access for all event series belonging to the
           course.
+        no_right_to_change_editors: >
+          Course editors can only be changed by administrators.
+          Please contact %{project_email} by email if you want a change to be made
+          here.
         preceding_courses: >
           Here you can enter which courses this course builds upon.
           E.g., Linear Algebra 1 and Linear Algebra 2 might be preceding