Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular users shouldn't be able to modify Vacation Requests from another user #18

Open
hopsor opened this issue Dec 16, 2016 · 2 comments
Open

Regular users shouldn't be able to modify Vacation Requests from another user #18

hopsor opened this issue Dec 16, 2016 · 2 comments

Comments

@hopsor
Copy link
Member

hopsor commented Dec 16, 2016

Right now a regular user (not admin) is able to edit the vacation request from another user. This should be forbidden in the backend.

Was this an intended behavior @javiercr ?
@javiercr
Copy link
Member

I don't think this was intended. I can't find any reason why we would want that :)

@jekuno
Copy link

jekuno commented Feb 1, 2017

@hopsor Did you really manage to change a vacation request? I do see the buttons "Accept" and "Reject" but as soon as I confirm the popup nothing happens because currently there's already the following check in the VacationRequestsController:
before_action :check_admin_user, only: [:approve, :reject]

For usability reasons one could hide or disable the buttons but at least I don't see a security issue with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javiercr @hopsor @jekuno