protect internal users from impersonation

2017-02-28 13:35:37 -08:00 · 2017-02-28 13:35:37 -08:00 · dfe41c1556
parent 0ea04cc5bf
commit dfe41c1556
1 changed files with 4 additions and 0 deletions
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -32,6 +32,10 @@ class Admin::UsersController < Admin::ApplicationController
    if user.blocked?
      flash[:alert] = "You cannot impersonate a blocked user"

+      redirect_to admin_user_path(user)
+    elsif user.internal?
+      flash[:alert] = "You cannot impersonate an internal user"
+
      redirect_to admin_user_path(user)
    else
      session[:impersonator_id] = current_user.id