Better authentication

This commit is contained in:
redfast00 2019-04-18 22:50:33 +02:00
parent e97ce98ac3
commit c588d0f6d4
No known key found for this signature in database
GPG key ID: 5946E0E34FD0553C
3 changed files with 5 additions and 10 deletions

View file

@ -23,22 +23,13 @@
class UsersController < ApplicationController
load_and_authorize_resource
before_action :init, only: :show
skip_load_and_authorize_resource :only => :show
def show
# TODO fix this with `authorize!`
if params[:id] && (@user.name != params[:id] && !@user.admin?)
respond_to do |format|
format.json { render json: ["Mind your own business"] }
format.html { redirect_to root_url }
end
else
respond_to do |format|
format.json { render json: @user }
format.html {}
end
end
end
def update
if user_params.empty?

View file

@ -24,6 +24,9 @@ class Ability
def initialize_user(user)
can :read, :all
cannot :read, User do |otheruser|
otheruser != user && !user.admin? && !user.koelkast
end
can :manage, User, id: user.id
can :create, Order do |order|
order.user == user && user.try(:balance).try(:>, -500)

View file

@ -11,7 +11,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20190408122720) do
ActiveRecord::Schema.define(version: 20190415182036) do
create_table "barcodes", force: :cascade do |t|
t.integer "product_id"
@ -87,6 +87,7 @@ ActiveRecord::Schema.define(version: 20190408122720) do
t.boolean "private", default: false
t.integer "frecency", default: 0, null: false
t.boolean "quickpay_hidden", default: false
t.string "key"
t.string "userkey"
end