From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001
From: NavaL <ayoyo@thoughtworks.com>
Date: Thu, 14 Jul 2016 15:06:20 +0200
Subject: [feature] restrict is_admin in the user api, to only allow querying
 for him/herself

So that it we do not expose the is_admin property to anyone else
including other admins.
---
 app/models/user.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'app/models/user.rb')

diff --git a/app/models/user.rb b/app/models/user.rb
index 6541305..93830cc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -74,13 +74,16 @@ class User < CouchRest::Model::Base
   end
 
   def to_json(options={})
+    to_hash.to_json(options)
+  end
+
+  def to_hash()
     {
       :login => self.login,
       :ok => self.valid?,
       :id => self.id,
       :enabled => self.enabled?,
-      :is_admin => self.is_admin?
-    }.to_json(options)
+    }
   end
 
   def salt
-- 
cgit v1.2.3