From b075a5fd758432dd10ec0cb27d678f00b1fa65f7 Mon Sep 17 00:00:00 2001
From: MrYummy <elemental428@gmail.com>
Date: Tue, 13 Jun 2017 02:19:29 +0200
Subject: =?UTF-8?q?Apparently=20that=20'unnecessary=20permission=20check'?=
 =?UTF-8?q?=20was=20necessary.=20=C2=AF\=5F(=E3=83=84)=5F/=C2=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/messages_controller.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 7deaeed..778f755 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -1,5 +1,7 @@
 class MessagesController < ApplicationController
 
+  before_filter :check_permission, only: :destroy
+
   def index
     if current_user
       @messages = Message.where(user_target: current_user).page(params[:page])
@@ -70,4 +72,14 @@ class MessagesController < ApplicationController
 
     params.require(:message).permit([:text, :user_target_id, :user_sender_id])
   end
+
+  private
+
+  def check_permission
+    @message = Message.find(params[:id])
+    unless @message.user_target == current_user
+      flash[:alert] = "You are not allowed to view this message"
+      redirect_to home_statics_path
+    end
+  end
 end
-- 
cgit v1.2.3