restrict edit page access to users allowed to update

2016-07-11 21:06:12 +02:00
parent bb1d2c0c3e
commit d9ae4e7d3a
2 changed files with 8 additions and 0 deletions
--- a/app/controllers/forumthreads_controller.rb
+++ b/app/controllers/forumthreads_controller.rb
@@ -11,6 +11,10 @@ class ForumthreadsController < ApplicationController
  end

  def edit
+    unless mod? || @thread.author.is?(current_user)
+      flash[:alert] = "You are not allowed to edit this thread!"
+      redirect_to @thread
+    end
  end

  def new