app/controllers/controller_extension/fetch_user.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

#
# fetch the user taking into account permissions.
# While normal users can only change settings for themselves
# admins can change things for all users.
#
module ControllerExtension::FetchUser
  extend ActiveSupport::Concern

  protected

  #
  # fetch @user from params, but enforce permissions:
  #
  # * admins may fetch any user
  # * monitors may fetch test users
  # * users may fetch themselves
  #
  # these permissions matter, it is what protects
  # users from being updated or deleted by other users.
  #
  def fetch_user
    @user = User.find(params[:user_id] || params[:id])
    if current_user.is_admin? || current_user.is_monitor?
      if @user.nil?
        not_found(t(:no_such_thing, :thing => 'user'), users_url)
      elsif current_user.is_monitor?
        access_denied unless @user.is_test?
      end
    elsif @user != current_user
      access_denied
    end
  end

end