summaryrefslogtreecommitdiff
path: root/app/controllers
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2016-03-28 15:52:21 -0700
committerelijah <elijah@riseup.net>2016-03-28 16:03:54 -0700
commit67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 (patch)
treecfea468d3d70363298490cc1ad7b8085688530b7 /app/controllers
parentc63791c7ffacb7c6cfc685e2654ffe66f0a6b185 (diff)
api tokens - clarify terms: "monitors" are admins that authenticated via api token, "tmp" users are users that exist only in tmp db, "test" users are either tmp users or users named "test_user_x"
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/controller_extension/errors.rb11
-rw-r--r--app/controllers/controller_extension/fetch_user.rb20
2 files changed, 23 insertions, 8 deletions
diff --git a/app/controllers/controller_extension/errors.rb b/app/controllers/controller_extension/errors.rb
index 8f8edde..2b68955 100644
--- a/app/controllers/controller_extension/errors.rb
+++ b/app/controllers/controller_extension/errors.rb
@@ -4,21 +4,22 @@ module ControllerExtension::Errors
protected
def access_denied
- respond_to_error :not_authorized, :forbidden, home_url
+ render_error :not_authorized, :forbidden, home_url
end
def login_required
# Warden will intercept the 401 response and call
# SessionController#unauthenticated instead.
- respond_to_error :not_authorized_login, :unauthorized, login_url
+ render_error :not_authorized_login, :unauthorized, login_url
end
- def not_found
- respond_to_error :not_found, :not_found, home_url
+ def not_found(msg=nil, url=nil)
+ render_error(msg || :not_found, :not_found, url || home_url)
end
+ private
- def respond_to_error(message, status=nil, redirect=nil)
+ def render_error(message, status=nil, redirect=nil)
error = message
message = t(message) if message.is_a?(Symbol)
respond_to do |format|
diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb
index 695d723..97f92fa 100644
--- a/app/controllers/controller_extension/fetch_user.rb
+++ b/app/controllers/controller_extension/fetch_user.rb
@@ -8,11 +8,25 @@ module ControllerExtension::FetchUser
protected
+ #
+ # fetch @user from params, but enforce permissions:
+ #
+ # * admins may fetch any user
+ # * monitors may fetch test users
+ # * users may fetch themselves
+ #
+ # these permissions matter, it is what protects
+ # users from being updated or deleted by other users.
+ #
def fetch_user
@user = User.find(params[:user_id] || params[:id])
- if !@user && admin?
- redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user')
- elsif !admin? && @user != current_user
+ if current_user.is_admin? || current_user.is_monitor?
+ if @user.nil?
+ not_found(t(:no_such_thing, :thing => 'user'), users_url)
+ elsif current_user.is_monitor?
+ access_denied unless @user.is_test?
+ end
+ elsif @user != current_user
access_denied
end
end