Module: Hyrax::BatchUploadsControllerBehavior

Extended by:

ActiveSupport::Concern

Includes:

Hydra::Controller::ControllerBehavior, CurationConcernController

Included in:

BatchUploadsController

Defined in:

app/controllers/concerns/hyrax/batch_uploads_controller_behavior.rb

Defined Under Namespace

Classes: BatchUploadFormService

Instance Method Summary

• #create ⇒ Object

  The permissions to create a batch are not as important as the permissions for the concern being batched.

Methods included from CurationConcernController

#destroy, #edit, #file_manager, #inspect_work, #new, #show, #update

Instance Method Details

#create ⇒ Object

Note:

we don’t call ‘authorize!` directly, since `authorized_models` already checks `user.can? :create, …`

The permissions to create a batch are not as important as the permissions for the concern being batched.

Raises:

• (CanCan::AccessDenied)

# File 'app/controllers/concerns/hyrax/batch_uploads_controller_behavior.rb', line 16

def create
  authenticate_user!
  unsafe_pc = params.fetch(:batch_upload_item, {})[:payload_concern]
  # Calling constantize on user params is disfavored (per brakeman), so we sanitize by matching it against an authorized model.
  safe_pc = Hyrax::SelectTypeListPresenter.new(current_user).authorized_models.map(&:to_s).find { |x| x == unsafe_pc }
  raise CanCan::AccessDenied, "Cannot create an object of class '#{unsafe_pc}'" unless safe_pc
  # authorize! :create, safe_pc
  create_update_job(safe_pc)
  # Calling `#t` in a controller context does not mark _html keys as html_safe
  flash[:notice] = view_context.t('hyrax.works.create.after_create_html', application_name: view_context.application_name)
  redirect_after_update
end