From 3240ba032de1e02b8d5554cd886414a7262892a9 Mon Sep 17 00:00:00 2001 From: Coleman Date: Fri, 17 Oct 2008 01:03:21 -0500 Subject: [PATCH] secure the controller up a bit --- app/controllers/users.rb | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/app/controllers/users.rb b/app/controllers/users.rb index 447b5a9..8b7f9cd 100644 --- a/app/controllers/users.rb +++ b/app/controllers/users.rb @@ -1,6 +1,6 @@ class Users < Application - before :fetch_allowed_user, :only => [ :show, :edit, :update, :delete ] - before :prepare_user, :only => [ :show, :edit, :update, :delete ] + before :fetch_allowed_user, :only => [ :edit, :update, :destroy ] + before :administrator?, :only => [ :destroy ] include Ambethia::ReCaptcha::Controller @@ -13,10 +13,6 @@ class Users < Application end end - def show - render - end - def new @user = User.new render @@ -39,27 +35,23 @@ class Users < Application end def update + @user.attributes = params[:user] if params[:user] if @user.save flash[:notice] = 'Great success' - redirect url(:users) + redirect '/' else render :edit end end - def delete + def destroy + raise NotAllowed unless request.xhr? if @user.destroy flash[:notice] = "Epic failure, goodbye #{@user.user_name}" reset_session if @user.id == session[:user_id] else - flash[:error] = 'That does not work...' + flash[:error] = 'That did not work...' end redirect url(:users) end - - protected - - def prepare_user - @user.attributes = params[:user] if params[:user] and request.post? - end end