diff options
author | Azul <azul@riseup.net> | 2016-03-31 11:40:44 +0200 |
---|---|---|
committer | Azul <azul@riseup.net> | 2016-03-31 11:40:44 +0200 |
commit | be5efb57dc9b282a31cf29c9eac27cb5a7e7ac2f (patch) | |
tree | ce8bee7d2fa4007a1db9815e1af001fe44e329c1 /app/controllers/controller_extension/fetch_user.rb | |
parent | 14c9f2ab7cbf410bcd7fdd75b4a1c11417b30bd7 (diff) | |
parent | 48acca107b9bd7a59bacb1449b042eb753e63917 (diff) |
Merge remote-tracking branch 'github/211' into develop
Diffstat (limited to 'app/controllers/controller_extension/fetch_user.rb')
-rw-r--r-- | app/controllers/controller_extension/fetch_user.rb | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb index 695d723..97f92fa 100644 --- a/app/controllers/controller_extension/fetch_user.rb +++ b/app/controllers/controller_extension/fetch_user.rb @@ -8,11 +8,25 @@ module ControllerExtension::FetchUser protected + # + # fetch @user from params, but enforce permissions: + # + # * admins may fetch any user + # * monitors may fetch test users + # * users may fetch themselves + # + # these permissions matter, it is what protects + # users from being updated or deleted by other users. + # def fetch_user @user = User.find(params[:user_id] || params[:id]) - if !@user && admin? - redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user') - elsif !admin? && @user != current_user + if current_user.is_admin? || current_user.is_monitor? + if @user.nil? + not_found(t(:no_such_thing, :thing => 'user'), users_url) + elsif current_user.is_monitor? + access_denied unless @user.is_test? + end + elsif @user != current_user access_denied end end |