diff options
| author | erdgeist <erdgeist@erdgeist.org> | 2026-06-29 21:35:09 +0200 |
|---|---|---|
| committer | erdgeist <erdgeist@erdgeist.org> | 2026-06-30 19:21:16 +0200 |
| commit | ebad58c71661b62ec62f7e77ec977bda2b5bc0a3 (patch) | |
| tree | 9bbeb926dde4b8cbca62caeafc2464d37ad83d47 /app/controllers/users_controller.rb | |
| parent | 3bb2271850bab577f35291a174b1985aea2b2b55 (diff) | |
Permit :admin in params only for admins
Diffstat (limited to 'app/controllers/users_controller.rb')
| -rw-r--r-- | app/controllers/users_controller.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 98fd534..f01691f 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb | |||
| @@ -55,7 +55,9 @@ class UsersController < ApplicationController | |||
| 55 | private | 55 | private |
| 56 | 56 | ||
| 57 | def user_params | 57 | def user_params |
| 58 | params.fetch(:user, {}).permit(:login, :email, :password, :password_confirmation, :admin) | 58 | allowed = [:login, :email, :password, :password_confirmation] |
| 59 | allowed << :admin if current_user.admin? | ||
| 60 | params.fetch(:user, {}).permit(allowed) | ||
| 59 | end | 61 | end |
| 60 | 62 | ||
| 61 | def find_user | 63 | def find_user |
