From ebad58c71661b62ec62f7e77ec977bda2b5bc0a3 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Mon, 29 Jun 2026 21:35:09 +0200 Subject: Permit :admin in params only for admins --- app/controllers/users_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'app') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 98fd534..f01691f 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -55,7 +55,9 @@ class UsersController < ApplicationController private def user_params - params.fetch(:user, {}).permit(:login, :email, :password, :password_confirmation, :admin) + allowed = [:login, :email, :password, :password_confirmation] + allowed << :admin if current_user.admin? + params.fetch(:user, {}).permit(allowed) end def find_user -- cgit v1.3