From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001
From: NavaL <ayoyo@thoughtworks.com>
Date: Thu, 14 Jul 2016 15:06:20 +0200
Subject: [feature] restrict is_admin in the user api, to only allow querying
 for him/herself

So that it we do not expose the is_admin property to anyone else
including other admins.
---
 app/controllers/api/users_controller.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'app/controllers')

diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index c79a729..709e076 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -28,12 +28,20 @@ module Api
         @user = User.find(params[:id])
       end
       if @user
-        respond_with @user
+        respond_with user_response
       else
         not_found
       end
     end
 
+    def user_response
+      @user.to_hash.tap do |user_hash|
+        if @user == current_user
+          user_hash['is_admin'] = @user.is_admin?
+        end
+      end
+    end
+
     def create
       if current_user.is_monitor?
         create_test_account
-- 
cgit v1.2.3