summaryrefslogtreecommitdiff
path: root/engines/support/app
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
committerelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
commit366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch)
tree90e0a5297565a84689760167c5891fde6c615d23 /engines/support/app
parent9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff)
tickets: fix bug that allow index of other users
Diffstat (limited to 'engines/support/app')
-rw-r--r--engines/support/app/controllers/tickets_controller.rb22
1 files changed, 16 insertions, 6 deletions
diff --git a/engines/support/app/controllers/tickets_controller.rb b/engines/support/app/controllers/tickets_controller.rb
index fab26f3..1ccbd16 100644
--- a/engines/support/app/controllers/tickets_controller.rb
+++ b/engines/support/app/controllers/tickets_controller.rb
@@ -4,10 +4,10 @@ class TicketsController < ApplicationController
respond_to :html, :json
#has_scope :open, :type => boolean
+ before_filter :fetch_user
before_filter :require_login, :only => [:index]
before_filter :fetch_ticket, except: [:new, :create, :index]
- before_filter :require_ticket_access, except: [:new, :create, :index]
- before_filter :fetch_user
+ before_filter :require_ticket_access, except: [:new, :create]
before_filter :set_title
def new
@@ -129,14 +129,24 @@ class TicketsController < ApplicationController
end
def ticket_access?
- admin? or
- @ticket.created_by.blank? or
- current_user.id == @ticket.created_by
+ admin? or (
+ @ticket &&
+ @ticket.created_by.blank?
+ ) or (
+ @ticket &&
+ @ticket.created_by == current_user.id
+ ) or (
+ @ticket.nil? &&
+ @user &&
+ @user.id == current_user.id
+ )
end
def fetch_user
if params[:user_id]
@user = User.find(params[:user_id])
+ else
+ @user = current_user
end
end
@@ -146,7 +156,7 @@ class TicketsController < ApplicationController
def search_options(params)
params.merge(
:admin_status => params[:user_id] ? 'mine' : 'all',
- :user_id => @user ? @user.id : current_user.id,
+ :user_id => @user.id,
:is_admin => admin?
)
end