From d9ae4e7d3a3fbfd19d7d549692dc71b6e76060f7 Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Mon, 11 Jul 2016 21:06:12 +0200
Subject: restrict edit page access to users allowed to update

---
 app/controllers/forums_controller.rb       | 4 ++++
 app/controllers/forumthreads_controller.rb | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/app/controllers/forums_controller.rb b/app/controllers/forums_controller.rb
index 2841be9..ecf570e 100644
--- a/app/controllers/forums_controller.rb
+++ b/app/controllers/forums_controller.rb
@@ -16,6 +16,10 @@ class ForumsController < ApplicationController
   end
 
   def edit
+    unless admin?
+      flash[:alert] = "You are not allowed to change a forum"
+      redirect_to forums_path
+    end
   end
 
   def new
diff --git a/app/controllers/forumthreads_controller.rb b/app/controllers/forumthreads_controller.rb
index ac090f5..b9b5714 100644
--- a/app/controllers/forumthreads_controller.rb
+++ b/app/controllers/forumthreads_controller.rb
@@ -11,6 +11,10 @@ class ForumthreadsController < ApplicationController
   end
 
   def edit
+    unless mod? || @thread.author.is?(current_user)
+      flash[:alert] = "You are not allowed to edit this thread!"
+      redirect_to @thread
+    end
   end
 
   def new
-- 
cgit v1.2.3