before_filter :check_database_writable, :only => [:create, :edit, :delete]
before_filter :check_api_readable, :only => [:api_details, :api_data]
before_filter :check_api_writable, :only => [:api_create]
+ before_filter :require_allow_read_gpx, :only => [:api_details, :api_data]
+ before_filter :require_allow_write_gpx, :only => [:api_create]
# Counts and selects pages of GPX traces for various criteria (by user, tags, public etc.).
# target_user - if set, specifies the user to fetch traces for. if not set will fetch all traces
if @user and @user == target_user
conditions = ["gpx_files.user_id = ?", @user.id] #3 (check vs user id, so no join + can't pick up non-public traces by changing name)
else
- conditions = ["gpx_files.visibility <> 'private' AND gpx_files.user_id = ?", target_user.id] #4
+ conditions = ["gpx_files.public <> 'private' AND gpx_files.user_id = ?", target_user.id] #4
end
end