diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 4069e5aaa..39ce73313 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -2,7 +2,7 @@ class UsersController < ApplicationController require_unauthenticated_access only: %i[ new create ] before_action :set_user, only: %i[ show edit update destroy ] - before_action :set_account_from_join_code, only: %i[ new create ] + before_action :ensure_join_code_is_valid, only: %i[ new create ] before_action :ensure_permission_to_administer_user, only: %i[ update destroy ] def index @@ -36,8 +36,8 @@ class UsersController < ApplicationController end private - def set_account_from_join_code - @account = Account.find_by_join_code!(params[:join_code]) + def ensure_join_code_is_valid + head :forbidden unless Account.sole.join_code == params[:join_code] end def set_user diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index fa9ca8312..40f078bdc 100644 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -11,7 +11,7 @@