From b05e7c04e16104bc6779bf36e2e7c29692cc058f Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Mon, 3 Nov 2025 14:21:48 +0100 Subject: [PATCH] Ensure you can only delete your own avatar or else you have to be admin --- app/controllers/users/avatars_controller.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/controllers/users/avatars_controller.rb b/app/controllers/users/avatars_controller.rb index 5e29250c0..8be049cc3 100644 --- a/app/controllers/users/avatars_controller.rb +++ b/app/controllers/users/avatars_controller.rb @@ -4,6 +4,7 @@ class Users::AvatarsController < ApplicationController allow_unauthenticated_access only: :show before_action :set_user + before_action :ensure_permission_to_administer_user, only: :destroy def show if stale? @user, cache_control: { max_age: (30.minutes unless Current.user == @user), stale_while_revalidate: 1.week }.compact @@ -21,6 +22,10 @@ class Users::AvatarsController < ApplicationController @user = User.find(params[:user_id]) end + def ensure_permission_to_administer_user + head :forbidden unless Current.user.admin? || Current.user == @user + end + def render_avatar_or_initials if @user.avatar.attached? send_blob_stream @user.avatar