scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-10-09 13:28:53 +08:00
Code Issues Projects Releases Packages Wiki Activity

fixes per @mlorb 's request

Browse source
This commit is contained in:
zmagod 2018-01-24 13:21:53 +01:00
parent 259880c441
commit 9b836d04fa
3 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/users/invitations_controller.rb
View file

@ -192,7 +192,7 @@ module Users
@role = params['role'] @role = params['role']
render_403 if @emails && @emails.empty? render_403 if @emails && @emails.empty?
render_403 if @team && !can_read_team?(@team) render_403 if @team && !can_manage_team_users?(@team)
render_403 if @role && !UserTeam.roles.keys.include?(@role) render_403 if @role && !UserTeam.roles.keys.include?(@role)
end end
end end

2
app/controllers/users/settings/teams_controller.rb
View file

@ -147,7 +147,7 @@ module Users
def load_team def load_team
@team = Team.find_by_id(params[:id]) @team = Team.find_by_id(params[:id])
render_403 unless can_read_team?(@team) render_403 unless can_update_team?(@team)
end end
def create_params def create_params

2
app/controllers/users/settings/user_teams_controller.rb
View file

@ -150,7 +150,7 @@ module Users
# Don't allow the user to modify UserTeam-s if he's not admin, # Don't allow the user to modify UserTeam-s if he's not admin,
# unless he/she is modifying his/her UserTeam # unless he/she is modifying his/her UserTeam
if current_user != @user_t.user && if current_user != @user_t.user &&
!can_read_team?(@user_t.team) !can_manage_team_users?(@user_t.team)
render_403 render_403
end end
end end