From 2d4ba48ad4edf34d2d9c85699757f14ddf1aee7d Mon Sep 17 00:00:00 2001 From: Jyri-Petteri Paloposki Date: Tue, 18 Aug 2020 11:51:16 +0300 Subject: [PATCH] Move the access control to a dedicated helper --- app/controllers/application_controller.rb | 7 +++++++ app/controllers/users_controller.rb | 7 +------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bbe55e3a..f589762a 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -154,6 +154,13 @@ class ApplicationController < ActionController::Base end end + def admin_or_self_login_required + unless User.find(session['user_id']).is_admin || session['user_id'] == params[:id] + render :body => t('errors.user_unauthorized'), :status => 401 + return false + end + end + def redirect_back_or_home respond_to do |format| format.html { redirect_back_or_default root_url } diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f4c6da9f..01d13fc1 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,6 +1,7 @@ class UsersController < ApplicationController before_action :admin_login_required, :only => [ :index, :show ] + before_action :admin_or_self_login_required, :only => [ :destroy ] skip_before_action :login_required, :only => [ :new, :create ] prepend_before_action :login_optional, :only => [ :new, :create ] @@ -132,12 +133,6 @@ class UsersController < ApplicationController def destroy @deleted_user = User.find(params[:id]) - # Check that the user has access (logged in as admin or the target user.) - unless current_user && (current_user.is_admin || current_user == @deleted_user) - render :body => t('errors.user_unauthorized'), :status => 401 - return - end - # Remove the user @saved = @deleted_user.destroy