Fix mass-assignment. Dont allow users w/o access to create team

2013-01-25 15:42:41 +02:00 · 2013-01-25 15:42:41 +02:00 · 3ddd9f753c
commit 3ddd9f753c
parent 70e05801b1
3 changed files with 9 additions and 8 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base
    return access_denied! unless can?(current_user, :download_code, project)
  end

+  def authorize_create_team!
+    return access_denied! unless can?(current_user, :create_team, nil)
+  end
+
  def authorize_manage_user_team!
    return access_denied! unless user_team.present? && can?(current_user, :manage_user_team, user_team)
  end