Apparently that 'unnecessary permission check' was necessary. ¯\_(ツ)_/¯

author: MrYummy <elemental428@gmail.com> 2017-06-13 02:19:29 +0200
committer: MrYummy <elemental428@gmail.com> 2017-06-13 02:19:29 +0200
commit: b075a5fd758432dd10ec0cb27d678f00b1fa65f7 (patch)
tree: 357a09106dfa631ca4154d2286ca59727f52b606
parent: 4d42fdfeb41ce57134a7574e41650f56897303e5 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 7deaeed..778f755 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -1,5 +1,7 @@
 class MessagesController < ApplicationController
 
+  before_filter :check_permission, only: :destroy
+
   def index
     if current_user
       @messages = Message.where(user_target: current_user).page(params[:page])
@@ -70,4 +72,14 @@ class MessagesController < ApplicationController
 
     params.require(:message).permit([:text, :user_target_id, :user_sender_id])
   end
+
+  private
+
+  def check_permission
+    @message = Message.find(params[:id])
+    unless @message.user_target == current_user
+      flash[:alert] = "You are not allowed to view this message"
+      redirect_to home_statics_path
+    end
+  end
 end
author	MrYummy <elemental428@gmail.com>	2017-06-13 02:19:29 +0200
committer	MrYummy <elemental428@gmail.com>	2017-06-13 02:19:29 +0200
commit	b075a5fd758432dd10ec0cb27d678f00b1fa65f7 (patch)
tree	357a09106dfa631ca4154d2286ca59727f52b606
parent	4d42fdfeb41ce57134a7574e41650f56897303e5 (diff)