Restrict visible pastes to given :project.

Author: ashcmd

app/controllers/pastes_controller.rb

@@ -94,13 +94,8 @@ def destroy
   private
 
   def find_paste_and_project
-    if params[:project_id].present?
-      @project = Project.find(params[:project_id])
-      @pastes = @project.pastes
-    else
-      @pastes = Paste
-    end
-    @pastes = @pastes.visible(User.current)
+    @project = Project.find(params[:project_id]) if params[:project_id].present?
+    @pastes = Paste.visible(User.current, :project => @project)
 
     if params[:id].present?
       if Paste.secure_id?(params[:id])

app/models/paste.rb

@@ -35,15 +35,21 @@ class Paste < ActiveRecord::Base
   scope :expired, where("expires_at <= current_timestamp")
   scope :unexpired, where("expires_at IS NULL OR expires_at > current_timestamp")
 
+  #
+  # * Restrict to project, if given.
   #
   # * Admin users should be able to see all pastes (even secure ones.)
   #
   # * An ordinary user can see a secure paste only if he has authored it.
   #
   # * Never show expired pastes even to an admin.
   #
-  scope :visible, lambda { |user, options={}|
-    where(user.admin? ? nil : ["access_token IS NULL OR author_id = ?", user.id]).unexpired
+  scope :visible, lambda{ |user, *args|
+    options = args.first || {}
+    s = self
+    s = s.where(:project_id => options[:project]) if options[:project]
+    s = s.where(["access_token IS NULL OR author_id = ?", user.id]) unless user.admin?
+    s.unexpired
   }
 
   acts_as_searchable :columns => ["#{table_name}.title", "#{table_name}.text"],