diff options
author | MrYummy <elemental428@gmail.com> | 2017-06-13 02:19:29 +0200 |
---|---|---|
committer | MrYummy <elemental428@gmail.com> | 2017-06-13 02:19:29 +0200 |
commit | b075a5fd758432dd10ec0cb27d678f00b1fa65f7 (patch) | |
tree | 357a09106dfa631ca4154d2286ca59727f52b606 | |
parent | 4d42fdfeb41ce57134a7574e41650f56897303e5 (diff) |
Apparently that 'unnecessary permission check' was necessary. ¯\_(ツ)_/¯
-rw-r--r-- | app/controllers/messages_controller.rb | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 7deaeed..778f755 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -1,5 +1,7 @@ class MessagesController < ApplicationController + before_filter :check_permission, only: :destroy + def index if current_user @messages = Message.where(user_target: current_user).page(params[:page]) @@ -70,4 +72,14 @@ class MessagesController < ApplicationController params.require(:message).permit([:text, :user_target_id, :user_sender_id]) end + + private + + def check_permission + @message = Message.find(params[:id]) + unless @message.user_target == current_user + flash[:alert] = "You are not allowed to view this message" + redirect_to home_statics_path + end + end end |