From 8ffc0d51ebc131414dbdf0341a6965ddb69cfb18 Mon Sep 17 00:00:00 2001
From: jingquan huang <huang.jingquan@163.com>
Date: Mon, 8 Apr 2019 18:06:24 +0800
Subject: [PATCH] user

---
 app/controllers/users_controller.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 611b7803..3868f5a5 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -3266,6 +3266,9 @@ class UsersController < ApplicationController
   end
 
   def edit
+    unless User.current.admin?
+      render_403
+    end
     @auth_sources = AuthSource.all
     @membership ||= Member.new
   end
@@ -3282,6 +3285,9 @@ class UsersController < ApplicationController
   end
 
   def update
+    unless User.current.admin?
+      render_403
+    end
     @user.admin = params[:user][:admin] if params[:user][:admin]
     @user.login = params[:user][:login] if params[:user][:login]
     if params[:user][:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)