Do not render hidden news edit form if user is not allowed to edit (closes #4068).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)
diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml

index 8964927369ae3720dacf9d7af058f73ca5b4812b..019a14dfd6cee03f4bd232a0159d0e6e3b23d92e 100644 (file)
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@@ -9,6 +9,7 @@
  
  <h2><%=h @news.title %></h2>
  
+<% if authorize_for('news', 'edit') %>
  <div id="edit-news" style="display:none;">
  <% labelled_tabular_form_for :news, @news, :url => { :action => "edit", :id => @news },
                                             :html => { :id => 'news-form' } do |f| %>
@@ -20,10 +21,11 @@
                       :update => 'preview',
                       :with => "Form.serialize('news-form')"
                     }, :accesskey => accesskey(:preview) %> |
-<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news")' %>
+<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news"); return false;' %>
  <% end %>
  <div id="preview" class="wiki"></div>
  </div>
+<% end %>
  
  <p><em><% unless @news.summary.blank? %><%=h @news.summary %><br /><% end %>
  <span class="author"><%= authoring @news.created_on, @news.author %></span></em></p>
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Thu, 22 Oct 2009 17:42:17 +0000 (17:42 +0000)