barbie-bot/fixin.me
0
0
Fork 0
forked from fixin.me/fixin.me
Code Pull Requests Activity

Add access control and :forbidden error handling

Browse Source
This commit is contained in:
cryptogopher
2023-04-24 23:08:55 +02:00
parent 461f0bb812
commit 634ba7e901
5 changed files with 41 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/application_controller.rb
View File

@@ -1,6 +1,15 @@
class ApplicationController < ActionController::Base
helper_method :current_user_at_least
before_action :authenticate_user!
class AccessForbidden < StandardError
end
def current_user_at_least(status)
User.statuses[current_user.status] >= User.statuses[status]
end
protected
def after_sign_out_path_for(scope)

8
app/controllers/users_controller.rb
View File

@@ -1,7 +1,9 @@
class UsersController < ApplicationController
before_action :set_user, only: %i[ show edit update destroy ]
before_action :find_user, only: [:show, :edit, :update, :destroy]
before_action do
raise AccessForbidden unless (current_user == @user) || current_user_at_least(:admin)
end
# GET /users
def index
@users = User.all
end
@@ -47,7 +49,7 @@ class UsersController < ApplicationController
private
# Use callbacks to share common setup or constraints between actions.
def set_user
def find_user
@user = User.find(params[:id])
end