From 67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Mon, 28 Mar 2016 15:52:21 -0700
Subject: api tokens - clarify terms: "monitors" are admins that authenticated
 via api token, "tmp" users are users that exist only in tmp db, "test" users
 are either tmp users or users named "test_user_x"

---
 app/controllers/controller_extension/fetch_user.rb | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

(limited to 'app/controllers/controller_extension/fetch_user.rb')

diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb
index 695d723..97f92fa 100644
--- a/app/controllers/controller_extension/fetch_user.rb
+++ b/app/controllers/controller_extension/fetch_user.rb
@@ -8,11 +8,25 @@ module ControllerExtension::FetchUser
 
   protected
 
+  #
+  # fetch @user from params, but enforce permissions:
+  #
+  # * admins may fetch any user
+  # * monitors may fetch test users
+  # * users may fetch themselves
+  #
+  # these permissions matter, it is what protects
+  # users from being updated or deleted by other users.
+  #
   def fetch_user
     @user = User.find(params[:user_id] || params[:id])
-    if !@user && admin?
-      redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user')
-    elsif !admin? && @user != current_user
+    if current_user.is_admin? || current_user.is_monitor?
+      if @user.nil?
+        not_found(t(:no_such_thing, :thing => 'user'), users_url)
+      elsif current_user.is_monitor?
+        access_denied unless @user.is_test?
+      end
+    elsif @user != current_user
       access_denied
     end
   end
-- 
cgit v1.2.3