Merge pull request #176 from azul/feature/api-authenticated-configs

API: Authenticated access to config settings
author: azul <azul@leap.se> 2014-07-17 12:16:07 +0200
committer: azul <azul@leap.se> 2014-07-17 12:16:07 +0200
commit: ade74d8a9091ae607586d7b287a0579a2ee7af8e (patch)
tree: 74273b8ba7e35d0fb3c96aa79e63c93086d15146 /app/controllers/controller_extension/fetch_user.rb
parent: 952bc18e8333ca5c3e6e16f8059f84a1414d5f6f (diff)
parent: e86cccb4b89540f3bd403110d051b2723be781b9 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb
new file mode 100644
index 0000000..695d723
--- /dev/null
+++ b/app/controllers/controller_extension/fetch_user.rb
@@ -0,0 +1,20 @@
+#
+# fetch the user taking into account permissions.
+# While normal users can only change settings for themselves
+# admins can change things for all users.
+#
+module ControllerExtension::FetchUser
+  extend ActiveSupport::Concern
+
+  protected
+
+  def fetch_user
+    @user = User.find(params[:user_id] || params[:id])
+    if !@user && admin?
+      redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user')
+    elsif !admin? && @user != current_user
+      access_denied
+    end
+  end
+
+end
author	azul <azul@leap.se>	2014-07-17 12:16:07 +0200
committer	azul <azul@leap.se>	2014-07-17 12:16:07 +0200
commit	ade74d8a9091ae607586d7b287a0579a2ee7af8e (patch)
tree	74273b8ba7e35d0fb3c96aa79e63c93086d15146 /app/controllers/controller_extension/fetch_user.rb
parent	952bc18e8333ca5c3e6e16f8059f84a1414d5f6f (diff)
parent	e86cccb4b89540f3bd403110d051b2723be781b9 (diff)