[feature] restrict is_admin in the user api, to only allow querying

for him/herself So that it we do not expose the is_admin property to anyone else including other admins.
author: NavaL <ayoyo@thoughtworks.com> 2016-07-14 15:06:20 +0200
committer: NavaL <ayoyo@thoughtworks.com> 2016-07-14 15:45:09 +0200
commit: ab1917c5fe0f03e7719863a5598ad575d9fef302 (patch)
tree: 1aba29d7cfa25489d7f53528e022ff14ecb24961 /app
parent: e3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff)
2 files changed, 14 insertions, 3 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index c79a729..709e076 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -28,12 +28,20 @@ module Api
         @user = User.find(params[:id])
       end
       if @user
-        respond_with @user
+        respond_with user_response
       else
         not_found
       end
     end
 
+    def user_response
+      @user.to_hash.tap do |user_hash|
+        if @user == current_user
+          user_hash['is_admin'] = @user.is_admin?
+        end
+      end
+    end
+
     def create
       if current_user.is_monitor?
         create_test_account
diff --git a/app/models/user.rb b/app/models/user.rb
index 6541305..93830cc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -74,13 +74,16 @@ class User < CouchRest::Model::Base
   end
 
   def to_json(options={})
+    to_hash.to_json(options)
+  end
+
+  def to_hash()
     {
       :login => self.login,
       :ok => self.valid?,
       :id => self.id,
       :enabled => self.enabled?,
-      :is_admin => self.is_admin?
-    }.to_json(options)
+    }
   end
 
   def salt
author	NavaL <ayoyo@thoughtworks.com>	2016-07-14 15:06:20 +0200
committer	NavaL <ayoyo@thoughtworks.com>	2016-07-14 15:45:09 +0200
commit	ab1917c5fe0f03e7719863a5598ad575d9fef302 (patch)
tree	1aba29d7cfa25489d7f53528e022ff14ecb24961 /app
parent	e3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff)