Improve guest account security
This commit is contained in:
parent
73246873fe
commit
97b08100f1
4 changed files with 13 additions and 8 deletions
|
@ -18,14 +18,18 @@ class ApplicationController < ActionController::Base
|
|||
private
|
||||
|
||||
def current_account
|
||||
@current_account ||=
|
||||
current_user&.account ||
|
||||
Account.guests.find_by(id: session[:guest_account_id])
|
||||
@current_account ||= current_user&.account
|
||||
end
|
||||
|
||||
def guest_account
|
||||
@guest_account ||= current_account
|
||||
@guest_account ||= Account.guests.find_by(id: session[:guest_account_id])
|
||||
end
|
||||
|
||||
def pundit_user
|
||||
@pundit_user ||= ApplicationPolicy::Context.new(
|
||||
account: current_account,
|
||||
account: current_account,
|
||||
guest_account: guest_account,
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ class MembershipApplicationsController < ApplicationController
|
|||
@membership_application =
|
||||
MembershipApplication.new permitted_attributes MembershipApplication
|
||||
|
||||
@membership_application.account = current_account || Account.new
|
||||
@membership_application.account = guest_account || Account.new
|
||||
|
||||
authorize @membership_application
|
||||
|
||||
|
|
|
@ -62,10 +62,11 @@ class ApplicationPolicy
|
|||
end
|
||||
|
||||
class Context
|
||||
attr_reader :account
|
||||
attr_reader :account, :guest_account
|
||||
|
||||
def initialize(account:)
|
||||
def initialize(account:, guest_account:)
|
||||
@account = account
|
||||
@guest_account = guest_account
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
class MembershipApplicationPolicy < ApplicationPolicy
|
||||
def show?
|
||||
record.account == context.account
|
||||
record.account.in? [context.account, context.guest_account]
|
||||
end
|
||||
|
||||
def create?
|
||||
|
|
Reference in a new issue