Fix IDOR in requests

This commit is contained in:
redfast00 2019-03-24 22:31:03 +01:00
parent 43580c3545
commit b44e288070
No known key found for this signature in database
GPG key ID: 5946E0E34FD0553C
3 changed files with 5 additions and 4 deletions

View file

@ -1,5 +1,5 @@
class NotificationsController < ApplicationController
load_and_authorize_resource :user, only: :index, find_by: :name
load_and_authorize_resource :user, find_by: :name
before_action :load_notification, only: :read
authorize_resource :notification, only: :read

View file

@ -1,5 +1,5 @@
class RequestsController < ApplicationController
load_and_authorize_resource :user, only: :index, find_by: :name
load_and_authorize_resource :user, find_by: :name
before_action :load_request, only: [:confirm, :decline]
authorize_resource :request, only: [:confirm, :decline]

View file

@ -5,8 +5,9 @@ class UserAbility
return unless user
can :manage, :all if user.penning?
can :manage, user, id: user.id
can :manage, Request, creditor_id: user.id
can :create, Request, creditor_id: user.id
can [:confirm, :decline], Request, debtor_id: user.id
can :read, User, id: user.id
can :manage, Notification, user_id: user.id
can :create, Transaction do |t|
t.debtor == user && t.amount <= Rails.application.config.maximum_amount