Add access control and :forbidden error handling

2023-04-24 23:08:55 +02:00
parent 461f0bb812
commit 634ba7e901
5 changed files with 41 additions and 23 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,7 +1,9 @@
 class UsersController < ApplicationController
-  before_action :set_user, only: %i[ show edit update destroy ]
+  before_action :find_user, only: [:show, :edit, :update, :destroy]
+  before_action do
+    raise AccessForbidden unless (current_user == @user) || current_user_at_least(:admin)
+  end

-  # GET /users
  def index
    @users = User.all
  end
@@ -47,7 +49,7 @@ class UsersController < ApplicationController

  private
    # Use callbacks to share common setup or constraints between actions.
-    def set_user
+    def find_user
      @user = User.find(params[:id])
    end