Is this an error in UsersController?
Opened this issue · 2 comments
alexvkcr commented
In UsersController, we have a function to define who can delete and it goes like:
`def delete_possible?(user)
if user.nil?
return false
return false
elsif !current_user.admin?
return false
else
return true
end
end`
I think it is possible that users delete their own account but not other's so the first elsif should be
elsif user != current_user
chargio commented
Yes, I think that this is wrong,
It should take into account that one can only delete its own children or account
def delete_possible?(user)
if user.nil?
return false
elsif user == current_user
return false
elsif !current_user.admin?
return false
else
return true
end
end
- Create tests
- See that the are red
- Fix it
katafira commented
@sergio-ocon @alexvkcr I'll open a new branch and start working on it asap. The fix will go in a new PR I suppose, right?