Apparently that 'unnecessary permission check' was necessary. ¯\_(ツ)_/¯

2017-06-13 02:19:29 +02:00
parent 4d42fdfeb4
commit b075a5fd75
1 changed files with 12 additions and 0 deletions
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -1,5 +1,7 @@
 class MessagesController < ApplicationController

+  before_filter :check_permission, only: :destroy
+
  def index
    if current_user
      @messages = Message.where(user_target: current_user).page(params[:page])
@@ -70,4 +72,14 @@ class MessagesController < ApplicationController

    params.require(:message).permit([:text, :user_target_id, :user_sender_id])
  end
+
+  private
+
+  def check_permission
+    @message = Message.find(params[:id])
+    unless @message.user_target == current_user
+      flash[:alert] = "You are not allowed to view this message"
+      redirect_to home_statics_path
+    end
+  end
 end