9f6a4f1cc6
Users could reorder columns they didn't have access to. Fixed by limiting ColumnScoped to User::Accessor#accessible_columns. References https://hackerone.com/reports/3449905
13 lines
218 B
Ruby
13 lines
218 B
Ruby
module ColumnScoped
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
before_action :set_column
|
|
end
|
|
|
|
private
|
|
def set_column
|
|
@column = Current.user.accessible_columns.find(params[:column_id])
|
|
end
|
|
end
|