Fix IDOR in requests

2019-03-24 22:31:03 +01:00 · 2019-03-24 22:31:03 +01:00 · b44e288070
parent 43580c3545
commit b44e288070
3 changed files with 5 additions and 4 deletions
--- a/app/controllers/notifications_controller.rb
+++ b/app/controllers/notifications_controller.rb
@ -1,5 +1,5 @@
 class NotificationsController < ApplicationController
-  load_and_authorize_resource :user, only: :index, find_by: :name
+  load_and_authorize_resource :user, find_by: :name

  before_action :load_notification, only: :read
  authorize_resource :notification, only: :read
--- a/app/controllers/requests_controller.rb
+++ b/app/controllers/requests_controller.rb
@ -1,5 +1,5 @@
 class RequestsController < ApplicationController
-  load_and_authorize_resource :user, only: :index, find_by: :name
+  load_and_authorize_resource :user, find_by: :name

  before_action :load_request, only: [:confirm, :decline]
  authorize_resource :request, only: [:confirm, :decline]
--- a/app/models/user_ability.rb
+++ b/app/models/user_ability.rb
@ -5,8 +5,9 @@ class UserAbility
    return unless user

    can :manage, :all if user.penning?
-    can :manage, user, id: user.id
-    can :manage, Request,      creditor_id: user.id
+    can :create, Request, creditor_id: user.id
+    can [:confirm, :decline], Request, debtor_id: user.id
+    can :read, User, id: user.id
    can :manage, Notification, user_id: user.id
    can :create, Transaction do |t|
      t.debtor == user && t.amount <= Rails.application.config.maximum_amount