summaryrefslogtreecommitdiff
path: root/app/controllers/controller_extension/fetch_user.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers/controller_extension/fetch_user.rb')
-rw-r--r--app/controllers/controller_extension/fetch_user.rb20
1 files changed, 17 insertions, 3 deletions
diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb
index 695d723..97f92fa 100644
--- a/app/controllers/controller_extension/fetch_user.rb
+++ b/app/controllers/controller_extension/fetch_user.rb
@@ -8,11 +8,25 @@ module ControllerExtension::FetchUser
protected
+ #
+ # fetch @user from params, but enforce permissions:
+ #
+ # * admins may fetch any user
+ # * monitors may fetch test users
+ # * users may fetch themselves
+ #
+ # these permissions matter, it is what protects
+ # users from being updated or deleted by other users.
+ #
def fetch_user
@user = User.find(params[:user_id] || params[:id])
- if !@user && admin?
- redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user')
- elsif !admin? && @user != current_user
+ if current_user.is_admin? || current_user.is_monitor?
+ if @user.nil?
+ not_found(t(:no_such_thing, :thing => 'user'), users_url)
+ elsif current_user.is_monitor?
+ access_denied unless @user.is_test?
+ end
+ elsif @user != current_user
access_denied
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 15:39:47 +0000