Fix mass-assignment. Dont allow users w/o access to create team

2013-01-25 15:42:41 +02:00 · 2013-01-25 15:42:41 +02:00 · 3ddd9f753c
commit 3ddd9f753c
parent 70e05801b1
3 changed files with 9 additions and 8 deletions
--- a/app/controllers/teams_controller.rb
+++ b/app/controllers/teams_controller.rb
@ -1,13 +1,10 @@
 class TeamsController < ApplicationController
  # Authorize
-  before_filter :authorize_manage_user_team!
-  before_filter :authorize_admin_user_team!
+  before_filter :authorize_create_team!, only: [:new, :create]
+  before_filter :authorize_manage_user_team!, only: [:edit, :update]
+  before_filter :authorize_admin_user_team!, only: [:destroy]

-  # Skip access control on public section
-  skip_before_filter :authorize_manage_user_team!, only: [:index, :show, :new, :destroy, :create, :search, :issues, :merge_requests]
-  skip_before_filter :authorize_admin_user_team!, only: [:index, :show, :new, :create, :search, :issues, :merge_requests]
-
-  layout 'user_team',       only: [:show, :edit, :update, :destroy, :issues, :merge_requests, :search]
+  layout 'user_team', except: [:new, :create]

  def index
    @teams = current_user.user_teams.order('name ASC')