Ensure you can only delete your own avatar or else you have to be admin

This commit is contained in:
David Heinemeier Hansson
2025-11-03 14:21:48 +01:00
parent 4c2f3ef0b8
commit b05e7c04e1
@@ -4,6 +4,7 @@ class Users::AvatarsController < ApplicationController
allow_unauthenticated_access only: :show
before_action :set_user
before_action :ensure_permission_to_administer_user, only: :destroy
def show
if stale? @user, cache_control: { max_age: (30.minutes unless Current.user == @user), stale_while_revalidate: 1.week }.compact
@@ -21,6 +22,10 @@ class Users::AvatarsController < ApplicationController
@user = User.find(params[:user_id])
end
def ensure_permission_to_administer_user
head :forbidden unless Current.user.admin? || Current.user == @user
end
def render_avatar_or_initials
if @user.avatar.attached?
send_blob_stream @user.avatar