Ensure you can only delete your own avatar or else you have to be admin
This commit is contained in:
@@ -4,6 +4,7 @@ class Users::AvatarsController < ApplicationController
|
||||
allow_unauthenticated_access only: :show
|
||||
|
||||
before_action :set_user
|
||||
before_action :ensure_permission_to_administer_user, only: :destroy
|
||||
|
||||
def show
|
||||
if stale? @user, cache_control: { max_age: (30.minutes unless Current.user == @user), stale_while_revalidate: 1.week }.compact
|
||||
@@ -21,6 +22,10 @@ class Users::AvatarsController < ApplicationController
|
||||
@user = User.find(params[:user_id])
|
||||
end
|
||||
|
||||
def ensure_permission_to_administer_user
|
||||
head :forbidden unless Current.user.admin? || Current.user == @user
|
||||
end
|
||||
|
||||
def render_avatar_or_initials
|
||||
if @user.avatar.attached?
|
||||
send_blob_stream @user.avatar
|
||||
|
||||
Reference in New Issue
Block a user