diff options
author | Azul <azul@leap.se> | 2012-11-28 15:13:47 +0100 |
---|---|---|
committer | Azul <azul@leap.se> | 2012-11-28 15:22:09 +0100 |
commit | 277b9f98bfbe2ef0217dfd17c8d9d6597369b903 (patch) | |
tree | 95f3ad2867708e825a6635eb57b94a17b83ae2fe /users/app/controllers | |
parent | 1d7ea661ca0cc03ffb10026e306d4e451e085cfa (diff) |
admins can destroy users
I changed the permissions a little to be more consistent.
Now:
* admins can edit users
* users can destroy themselves.
There's no ui for either of them but theoretically they could. Not sure this is what we want though.
Diffstat (limited to 'users/app/controllers')
-rw-r--r-- | users/app/controllers/users_controller.rb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb index 925b584..3407191 100644 --- a/users/app/controllers/users_controller.rb +++ b/users/app/controllers/users_controller.rb @@ -2,7 +2,7 @@ class UsersController < ApplicationController skip_before_filter :verify_authenticity_token, :only => [:create] - before_filter :fetch_user, :only => [:edit, :update] + before_filter :fetch_user, :only => [:edit, :update, :destroy] before_filter :authorize_admin, :only => [:index] respond_to :json, :html @@ -34,10 +34,15 @@ class UsersController < ApplicationController respond_with @user end + def destroy + @user.destroy + redirect_to users_path + end + protected def fetch_user @user = User.find_by_param(params[:id]) - access_denied unless @user == current_user + access_denied unless admin? or (@user == current_user) end end |