From 0c186fe46bbd5fa0b09ea9025c0d6ed256d8d11d Mon Sep 17 00:00:00 2001 From: hukl Date: Tue, 3 Nov 2009 20:16:40 +0100 Subject: Prevent regular users from promoting themselves to admins --- app/controllers/users_controller.rb | 1 + app/models/user.rb | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'app') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index eb1cd4c..87df678 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -33,6 +33,7 @@ class UsersController < ApplicationController end def update + params[:user].delete(:admin) unless current_user.is_admin? if @user.update_attributes(params[:user]) flash[:notice] = "Updated user #{@user.login}" redirect_to user_path(@user) diff --git a/app/models/user.rb b/app/models/user.rb index 035a145..ce5503f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -79,7 +79,11 @@ class User < ActiveRecord::Base return false end - private + def is_admin? + !!admin + end + + private def set_permission(granted, node) permission = self.permissions.for_node(node).first -- cgit v1.3