diff options
author | elijah <elijah@riseup.net> | 2014-06-03 01:12:17 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-06-03 01:12:17 -0700 |
commit | 366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch) | |
tree | 90e0a5297565a84689760167c5891fde6c615d23 /engines/support/app | |
parent | 9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff) |
tickets: fix bug that allow index of other users
Diffstat (limited to 'engines/support/app')
-rw-r--r-- | engines/support/app/controllers/tickets_controller.rb | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/engines/support/app/controllers/tickets_controller.rb b/engines/support/app/controllers/tickets_controller.rb index fab26f3..1ccbd16 100644 --- a/engines/support/app/controllers/tickets_controller.rb +++ b/engines/support/app/controllers/tickets_controller.rb @@ -4,10 +4,10 @@ class TicketsController < ApplicationController respond_to :html, :json #has_scope :open, :type => boolean + before_filter :fetch_user before_filter :require_login, :only => [:index] before_filter :fetch_ticket, except: [:new, :create, :index] - before_filter :require_ticket_access, except: [:new, :create, :index] - before_filter :fetch_user + before_filter :require_ticket_access, except: [:new, :create] before_filter :set_title def new @@ -129,14 +129,24 @@ class TicketsController < ApplicationController end def ticket_access? - admin? or - @ticket.created_by.blank? or - current_user.id == @ticket.created_by + admin? or ( + @ticket && + @ticket.created_by.blank? + ) or ( + @ticket && + @ticket.created_by == current_user.id + ) or ( + @ticket.nil? && + @user && + @user.id == current_user.id + ) end def fetch_user if params[:user_id] @user = User.find(params[:user_id]) + else + @user = current_user end end @@ -146,7 +156,7 @@ class TicketsController < ApplicationController def search_options(params) params.merge( :admin_status => params[:user_id] ? 'mine' : 'all', - :user_id => @user ? @user.id : current_user.id, + :user_id => @user.id, :is_admin => admin? ) end |