summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjessib <jessib@leap.se>2013-01-15 12:52:09 -0800
committerjessib <jessib@leap.se>2013-01-15 12:52:09 -0800
commite2021bdcc40b51ab5e571c97e882bba10dc80ad6 (patch)
tree59052403102c027dde9d73f4b85cc643e15bb86b
parent3dc8886beb7d3689c87d9aa1e5ad2d4c6c5b4c55 (diff)
For both users and tickets, if the object is not found and the current user is an admin, they should see an alert that the object wasn't found, and be redirected to the current controller.
If the object isn't found and the current user is not an admin, then we will continue to give an error about no access, so as not to leak information about what IDs do and don't exist.
-rw-r--r--config/locales/en.yml1
-rw-r--r--help/app/controllers/tickets_controller.rb2
-rw-r--r--users/app/controllers/users_controller.rb4
3 files changed, 6 insertions, 1 deletions
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 179c14c..fc61c31 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -3,3 +3,4 @@
en:
hello: "Hello world"
+ no_such_thing: "No such %{thing}."
diff --git a/help/app/controllers/tickets_controller.rb b/help/app/controllers/tickets_controller.rb
index d47939e..b613088 100644
--- a/help/app/controllers/tickets_controller.rb
+++ b/help/app/controllers/tickets_controller.rb
@@ -99,7 +99,7 @@ class TicketsController < ApplicationController
def fetch_ticket
@ticket = Ticket.find(params[:id])
if !@ticket and admin?
- redirect_to tickets_path, :alert => "No such ticket"
+ redirect_to tickets_path, :alert => t(:no_such_thing, :thing => 'ticket')
return
end
access_denied unless ticket_access?
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index 79de630..3d5a6a7 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -49,6 +49,10 @@ class UsersController < ApplicationController
def fetch_user
@user = User.find_by_param(params[:id])
+ if !@user and admin?
+ redirect_to users_path, :alert => t(:no_such_thing, :thing => 'user')
+ return
+ end
access_denied unless admin? or (@user == current_user)
end