diff options
author | elijah <elijah@riseup.net> | 2016-03-28 15:52:21 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2016-03-28 16:03:54 -0700 |
commit | 67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 (patch) | |
tree | cfea468d3d70363298490cc1ad7b8085688530b7 /app/controllers | |
parent | c63791c7ffacb7c6cfc685e2654ffe66f0a6b185 (diff) |
api tokens - clarify terms: "monitors" are admins that authenticated via api token, "tmp" users are users that exist only in tmp db, "test" users are either tmp users or users named "test_user_x"
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/controller_extension/errors.rb | 11 | ||||
-rw-r--r-- | app/controllers/controller_extension/fetch_user.rb | 20 |
2 files changed, 23 insertions, 8 deletions
diff --git a/app/controllers/controller_extension/errors.rb b/app/controllers/controller_extension/errors.rb index 8f8edde..2b68955 100644 --- a/app/controllers/controller_extension/errors.rb +++ b/app/controllers/controller_extension/errors.rb @@ -4,21 +4,22 @@ module ControllerExtension::Errors protected def access_denied - respond_to_error :not_authorized, :forbidden, home_url + render_error :not_authorized, :forbidden, home_url end def login_required # Warden will intercept the 401 response and call # SessionController#unauthenticated instead. - respond_to_error :not_authorized_login, :unauthorized, login_url + render_error :not_authorized_login, :unauthorized, login_url end - def not_found - respond_to_error :not_found, :not_found, home_url + def not_found(msg=nil, url=nil) + render_error(msg || :not_found, :not_found, url || home_url) end + private - def respond_to_error(message, status=nil, redirect=nil) + def render_error(message, status=nil, redirect=nil) error = message message = t(message) if message.is_a?(Symbol) respond_to do |format| diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb index 695d723..97f92fa 100644 --- a/app/controllers/controller_extension/fetch_user.rb +++ b/app/controllers/controller_extension/fetch_user.rb @@ -8,11 +8,25 @@ module ControllerExtension::FetchUser protected + # + # fetch @user from params, but enforce permissions: + # + # * admins may fetch any user + # * monitors may fetch test users + # * users may fetch themselves + # + # these permissions matter, it is what protects + # users from being updated or deleted by other users. + # def fetch_user @user = User.find(params[:user_id] || params[:id]) - if !@user && admin? - redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user') - elsif !admin? && @user != current_user + if current_user.is_admin? || current_user.is_monitor? + if @user.nil? + not_found(t(:no_such_thing, :thing => 'user'), users_url) + elsif current_user.is_monitor? + access_denied unless @user.is_test? + end + elsif @user != current_user access_denied end end |