Limit access to webhooks to admins
This commit is contained in:
@@ -1,3 +1,3 @@
|
||||
class AdminController < ApplicationController
|
||||
include StaffOnly
|
||||
before_action :ensure_is_staff_member
|
||||
end
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class ApplicationController < ActionController::Base
|
||||
include Authentication, CurrentRequest, CurrentTimezone, SetPlatform, TurboFlash, WriterAffinity
|
||||
include Authentication, Authorization, CurrentRequest, CurrentTimezone, SetPlatform, TurboFlash, WriterAffinity
|
||||
|
||||
stale_when_importmap_changes
|
||||
allow_browser versions: :modern, block: -> { render "errors/not_acceptable", layout: "error" }
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
module Authorization
|
||||
private
|
||||
def ensure_can_administer
|
||||
head :forbidden unless Current.user.admin?
|
||||
end
|
||||
|
||||
def ensure_is_staff_member
|
||||
head :forbidden unless Current.user.staff?
|
||||
end
|
||||
end
|
||||
@@ -1,12 +0,0 @@
|
||||
module StaffOnly
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
included do
|
||||
before_action :ensure_staff
|
||||
end
|
||||
|
||||
private
|
||||
def ensure_staff
|
||||
head :forbidden unless Current.user.staff?
|
||||
end
|
||||
end
|
||||
@@ -1,6 +1,5 @@
|
||||
class Conversations::MessagesController < ApplicationController
|
||||
include StaffOnly
|
||||
|
||||
before_action :ensure_is_staff_member
|
||||
before_action :set_conversation
|
||||
|
||||
def index
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class ConversationsController < ApplicationController
|
||||
include StaffOnly
|
||||
before_action :ensure_is_staff_member
|
||||
|
||||
def create
|
||||
Current.user.start_or_continue_conversation
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
class Webhooks::ActivationsController < ApplicationController
|
||||
before_action :ensure_can_administer
|
||||
before_action :set_webhook
|
||||
|
||||
def create
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
class WebhooksController < ApplicationController
|
||||
include FilterScoped
|
||||
|
||||
before_action :ensure_can_administer
|
||||
before_action :set_webhook, except: %i[ index new create ]
|
||||
|
||||
def index
|
||||
|
||||
@@ -18,7 +18,7 @@ module User::Role
|
||||
admin? || other == self
|
||||
end
|
||||
|
||||
def can_administer?(other)
|
||||
def can_administer?(other = nil)
|
||||
admin? && other != self
|
||||
end
|
||||
end
|
||||
|
||||
@@ -4,10 +4,13 @@
|
||||
<%= render "filters/menu", user_filtering: @user_filtering %>
|
||||
<h1 class="header__title"><%= @page_title %></h1>
|
||||
<div class="header__actions header__actions--end">
|
||||
<%= link_to webhooks_path, class: "btn" do %>
|
||||
<%= icon_tag "world" %>
|
||||
<span class="for-screen-reader">Webhooks</span>
|
||||
<% if Current.user.admin? %>
|
||||
<%= link_to webhooks_path, class: "btn" do %>
|
||||
<%= icon_tag "world" %>
|
||||
<span class="for-screen-reader">Webhooks</span>
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
<%= link_to workflows_path, class: "btn" do %>
|
||||
<%= icon_tag "bolt" %>
|
||||
<span class="for-screen-reader">Workflows</span>
|
||||
|
||||
Reference in New Issue
Block a user