blob: 632291dfa4b3c2ad7b5f0af381b4279c440bf720 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
#
# fetch the user taking into account permissions.
# While normal users can only change settings for themselves
# admins can change things for all users.
#
module ControllerExtension::FetchUser
extend ActiveSupport::Concern
protected
#
# fetch @user from params, but enforce permissions:
#
# * admins may fetch any user
# * monitors may fetch test users
# * users may fetch themselves
#
# these permissions matter, it is what protects
# users from being updated or deleted by other users.
#
def fetch_user
@user = User.find(params[:user_id] || params[:id])
if current_user.is_admin? || current_user.is_monitor?
if @user.nil?
not_found(t(:no_such_user), users_url)
elsif current_user.is_monitor?
access_denied unless @user.is_test?
end
elsif @user != current_user
access_denied
end
end
end
|