From e2021bdcc40b51ab5e571c97e882bba10dc80ad6 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Tue, 15 Jan 2013 12:52:09 -0800
Subject: For both users and tickets, if the object is not found and the
 current user is an admin, they should see an alert that the object wasn't
 found, and be redirected to the current controller.

If the object isn't found and the current user is not an admin, then we will continue to give an error about no access, so as not to leak information about what IDs do and don't exist.
---
 users/app/controllers/users_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'users/app/controllers')

diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index 79de630..3d5a6a7 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -49,6 +49,10 @@ class UsersController < ApplicationController
 
   def fetch_user
     @user = User.find_by_param(params[:id])
+    if !@user and admin?
+      redirect_to users_path, :alert => t(:no_such_thing, :thing => 'user')
+      return
+    end
     access_denied unless admin? or (@user == current_user)
   end
 
-- 
cgit v1.2.3