diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-07-14 15:06:20 +0200 |
---|---|---|
committer | NavaL <ayoyo@thoughtworks.com> | 2016-07-14 15:45:09 +0200 |
commit | ab1917c5fe0f03e7719863a5598ad575d9fef302 (patch) | |
tree | 1aba29d7cfa25489d7f53528e022ff14ecb24961 /app/controllers/api/users_controller.rb | |
parent | e3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff) |
[feature] restrict is_admin in the user api, to only allow querying
for him/herself
So that it we do not expose the is_admin property to anyone else
including other admins.
Diffstat (limited to 'app/controllers/api/users_controller.rb')
-rw-r--r-- | app/controllers/api/users_controller.rb | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb index c79a729..709e076 100644 --- a/app/controllers/api/users_controller.rb +++ b/app/controllers/api/users_controller.rb @@ -28,12 +28,20 @@ module Api @user = User.find(params[:id]) end if @user - respond_with @user + respond_with user_response else not_found end end + def user_response + @user.to_hash.tap do |user_hash| + if @user == current_user + user_hash['is_admin'] = @user.is_admin? + end + end + end + def create if current_user.is_monitor? create_test_account |