Only allow users to read their own messages.

[rails.git] / app / controllers / message_controller.rb

diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb
index 26102cc639faa8ef547566e8ce754b741e600fb1..d8689c28a0fe7b2925929dcd5abb2bff9c32659e 100644 (file)
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -29,10 +29,11 @@ class MessageController < ApplicationController
 
   def read
     @title = 'read message'
-    if params[:message_id]
-      id = params[:message_id]
-      @message = Message.find_by_id(id)
-    end
+    @message = Message.find(params[:message_id], :conditions => ["to_user_id = ?", @user.id])
+    @message.message_read = 1
+    @message.save
+  rescue ActiveRecord::RecordNotFound
+    render :none, :status => :not_found
   end
 
   def inbox
@@ -47,9 +48,16 @@ class MessageController < ApplicationController
     if params[:message_id]
       id = params[:message_id]
       message = Message.find_by_id(id)
-      message.message_read = 1
+      if params[:mark] == 'unread'
+        message_read = 0 
+        mark_type = 'unread'
+      else
+        message_read = 1
+        mark_type = 'read'
+      end
+      message.message_read = message_read
       if message.save
-        flash[:notice] = 'Message marked as read'
+        flash[:notice] = "Message marked as #{mark_type}"
         redirect_to :controller => 'message', :action => 'inbox', :display_name => @user.display_name
       end
     end