X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9ca40fd12a6e590b386ce57dc1a5096875d2061f..96b2469f9be45c620e4173cdd1101eb4664f6fd0:/app/controllers/application_controller.rb?ds=sidebyside

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 49dbc241ad..6535888996 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_filter :find_object_by_uuid, :except => [:index, :render_exception, :render_not_found]
   around_filter :thread_with_api_token, :except => [:render_exception, :render_not_found]
+  before_filter :find_object_by_uuid, :except => [:index, :render_exception, :render_not_found]
 
   unless Rails.application.config.consider_all_requests_local
     rescue_from Exception,
@@ -56,10 +56,20 @@ class ApplicationController < ActionController::Base
 
   def show
     if !@object
-      render_not_found("object not found")
+      return render_not_found("object not found")
     end
     respond_to do |f|
       f.json { render json: @object }
+      f.html { render }
+    end
+  end
+
+  def current_user
+    if Thread.current[:orvos_api_token]
+      @current_user ||= User.current
+    else
+      logger.error "No API token in Thread"
+      return nil
     end
   end
 
@@ -73,7 +83,7 @@ class ApplicationController < ActionController::Base
     if params[:id] and params[:id].match /\D/
       params[:uuid] = params.delete :id
     end
-    @object = model_class.where('uuid=?', params[:uuid]).first
+    @object = model_class.where(uuid: params[:uuid]).first
   end
 
   def thread_with_api_token
@@ -136,4 +146,11 @@ class ApplicationController < ActionController::Base
       false
     end
   end
+
+  def ensure_current_user_is_admin
+    unless current_user and current_user.is_admin
+      @errors = ['Permission denied']
+      self.render_error status: 401
+    end
+  end
 end