Fix IDOR in requests

app/controllers/notifications_controller.rb

@@ -1,5 +1,5 @@
 class NotificationsController < ApplicationController
-  load_and_authorize_resource :user, only: :index, find_by: :name
+  load_and_authorize_resource :user, find_by: :name
 
   before_action :load_notification, only: :read
   authorize_resource :notification, only: :read

app/controllers/requests_controller.rb

@@ -1,5 +1,5 @@
 class RequestsController < ApplicationController
-  load_and_authorize_resource :user, only: :index, find_by: :name
+  load_and_authorize_resource :user, find_by: :name
 
   before_action :load_request, only: [:confirm, :decline]
   authorize_resource :request, only: [:confirm, :decline]

app/models/user_ability.rb

@@ -5,8 +5,9 @@ class UserAbility
     return unless user
 
     can :manage, :all if user.penning?
-    can :manage, user, id: user.id
-    can :manage, Request,      creditor_id: user.id
+    can :create, Request, creditor_id: user.id
+    can [:confirm, :decline], Request, debtor_id: user.id
+    can :read, User, id: user.id
     can :manage, Notification, user_id: user.id
     can :create, Transaction do |t|
       t.debtor == user && t.amount <= Rails.application.config.maximum_amount