Require permission in order to view drafts

[bottiger]

I can see that my previous XSS issue has been more or less ignored, so I don't know why I post this. Anyway, drafts are accessible by everyone which I do not think is what users of the script expect - here's a quick and dirty patch

diff --git a/app/controllers/blog_posts_controller.rb b/app/controllers/blog_posts_controller.rb index 9b7a55c..7ccfdd6 100644 --- a/app/controllers/blog_posts_controller.rb +++ b/app/controllers/blog_posts_controller.rb @@ -32,6 +32,10 @@ class BlogPostsController < ApplicationController

def show @blog_post = BlogPost.find(params[:id])

• unless @blog_post.published == 1

•  require_admin
  

•  return
  

• end @blog_comment = @blog_post.blog_comments.new