before_filter :admin_required, only: [:setup, :unsetup]
def current
- @object = current_user
- show
+ if current_user
+ @object = current_user
+ show
+ else
+ send_error("Not logged in", status: 401)
+ end
end
+
def system
@object = system_user
show
UserNotifier.account_is_setup(@object).deliver
end
- render json: { kind: "arvados#HashList", items: @response.as_api_response(nil) }
+ send_json kind: "arvados#HashList", items: @response.as_api_response(nil)
end
# delete user agreements, vm, repository, login links; set state to inactive
}
end
- def find_objects_for_index
- if (action_name == "index") and (not @read_users.any? { |u| u.is_admin })
- # Non-admin index returns very basic information about all active users.
- # We ignore where and filters params to avoid leaking information.
- @where = {}
- @filters = []
- @select = ["uuid", "is_active", "email", "first_name", "last_name"]
- @objects = model_class.where(is_active: true)
+ def apply_filters(model_class=nil)
+ return super if @read_users.any? &:is_admin
+ if params[:uuid] != current_user.andand.uuid
+ # Non-admin index/show returns very basic information about readable users.
+ safe_attrs = ["uuid", "is_active", "email", "first_name", "last_name"]
+ if @select
+ @select = @select & safe_attrs
+ else
+ @select = safe_attrs
+ end
+ @filters += [['is_active', '=', true]]
end
super
end
projects / arvados.git / blobdiff