summaryrefslogtreecommitdiff
path: root/app/controllers/api/users_controller.rb
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-07-14 15:06:20 +0200
committerNavaL <ayoyo@thoughtworks.com>2016-07-14 15:45:09 +0200
commitab1917c5fe0f03e7719863a5598ad575d9fef302 (patch)
tree1aba29d7cfa25489d7f53528e022ff14ecb24961 /app/controllers/api/users_controller.rb
parente3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff)
[feature] restrict is_admin in the user api, to only allow querying
for him/herself So that it we do not expose the is_admin property to anyone else including other admins.
Diffstat (limited to 'app/controllers/api/users_controller.rb')
-rw-r--r--app/controllers/api/users_controller.rb10
1 files changed, 9 insertions, 1 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index c79a729..709e076 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -28,12 +28,20 @@ module Api
@user = User.find(params[:id])
end
if @user
- respond_with @user
+ respond_with user_response
else
not_found
end
end
+ def user_response
+ @user.to_hash.tap do |user_hash|
+ if @user == current_user
+ user_hash['is_admin'] = @user.is_admin?
+ end
+ end
+ end
+
def create
if current_user.is_monitor?
create_test_account