From b44e288070cc880e06d58300cc988d895d2c1c52 Mon Sep 17 00:00:00 2001 From: redfast00 Date: Sun, 24 Mar 2019 22:31:03 +0100 Subject: [PATCH] Fix IDOR in requests --- app/controllers/notifications_controller.rb | 2 +- app/controllers/requests_controller.rb | 2 +- app/models/user_ability.rb | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/controllers/notifications_controller.rb b/app/controllers/notifications_controller.rb index ce7bed8..3573a74 100644 --- a/app/controllers/notifications_controller.rb +++ b/app/controllers/notifications_controller.rb @@ -1,5 +1,5 @@ class NotificationsController < ApplicationController - load_and_authorize_resource :user, only: :index, find_by: :name + load_and_authorize_resource :user, find_by: :name before_action :load_notification, only: :read authorize_resource :notification, only: :read diff --git a/app/controllers/requests_controller.rb b/app/controllers/requests_controller.rb index e0c3b54..0dbf3d9 100644 --- a/app/controllers/requests_controller.rb +++ b/app/controllers/requests_controller.rb @@ -1,5 +1,5 @@ class RequestsController < ApplicationController - load_and_authorize_resource :user, only: :index, find_by: :name + load_and_authorize_resource :user, find_by: :name before_action :load_request, only: [:confirm, :decline] authorize_resource :request, only: [:confirm, :decline] diff --git a/app/models/user_ability.rb b/app/models/user_ability.rb index d22c540..1f48d8f 100644 --- a/app/models/user_ability.rb +++ b/app/models/user_ability.rb @@ -5,8 +5,9 @@ class UserAbility return unless user can :manage, :all if user.penning? - can :manage, user, id: user.id - can :manage, Request, creditor_id: user.id + can :create, Request, creditor_id: user.id + can [:confirm, :decline], Request, debtor_id: user.id + can :read, User, id: user.id can :manage, Notification, user_id: user.id can :create, Transaction do |t| t.debtor == user && t.amount <= Rails.application.config.maximum_amount