From dfe41c1556a5e31480a230e13033dd523ef51ba3 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 28 Feb 2017 13:35:37 -0800 Subject: protect internal users from impersonation --- app/controllers/admin/users_controller.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'app/controllers/admin/users_controller.rb') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 7ffde71c3b1..7f86723b921 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -32,6 +32,10 @@ class Admin::UsersController < Admin::ApplicationController if user.blocked? flash[:alert] = "You cannot impersonate a blocked user" + redirect_to admin_user_path(user) + elsif user.internal? + flash[:alert] = "You cannot impersonate an internal user" + redirect_to admin_user_path(user) else session[:impersonator_id] = current_user.id -- cgit v1.2.1 From b88314f4ad955897dc737b6e9515b43dc9d97422 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 7 Mar 2017 19:05:01 -0800 Subject: consolidate the error handling for #impersonate --- app/controllers/admin/users_controller.rb | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'app/controllers/admin/users_controller.rb') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 7f86723b921..205cf0490ab 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -29,15 +29,7 @@ class Admin::UsersController < Admin::ApplicationController end def impersonate - if user.blocked? - flash[:alert] = "You cannot impersonate a blocked user" - - redirect_to admin_user_path(user) - elsif user.internal? - flash[:alert] = "You cannot impersonate an internal user" - - redirect_to admin_user_path(user) - else + if !can?(user, :log_in) session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) @@ -47,6 +39,17 @@ class Admin::UsersController < Admin::ApplicationController flash[:alert] = "You are now impersonating #{user.username}" redirect_to root_path + else + flash[:alert] = + if user.blocked? + "You cannot impersonate a blocked user" + elsif user.internal? + "You cannot impersonate an internal user" + else + "You cannot impersonate a user who cannot log in" + end + + redirect_to admin_user_path(user) end end -- cgit v1.2.1 From 66f204e0f0dd74df3409547bea2cec98c8947f2c Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Thu, 9 Mar 2017 12:02:56 -0800 Subject: get the logic right :X --- app/controllers/admin/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers/admin/users_controller.rb') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 205cf0490ab..24504685e48 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -29,7 +29,7 @@ class Admin::UsersController < Admin::ApplicationController end def impersonate - if !can?(user, :log_in) + if can?(user, :log_in) session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) -- cgit v1.2.1