user

6 years ago · 8ffc0d51eb
parent 210d138fb9
commit 8ffc0d51eb
1 changed files with 6 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -3266,6 +3266,9 @@ class UsersController < ApplicationController
  end

  def edit
+    unless User.current.admin?
+      render_403
+    end
    @auth_sources = AuthSource.all
    @membership ||= Member.new
  end
@ -3282,6 +3285,9 @@ class UsersController < ApplicationController
  end

  def update
+    unless User.current.admin?
+      render_403
+    end
    @user.admin = params[:user][:admin] if params[:user][:admin]
    @user.login = params[:user][:login] if params[:user][:login]
    if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)