show
end
- # update profile for the user
- def profile
- reload_object_before_update
- @object.profile params
- show
- end
-
protected
def self._setup_requires_parameters
{
- send_notification_email: { type: 'boolean', required: true },
+ user: {
+ type: 'object', required: false
+ },
+ openid_prefix: {
+ type: 'string', required: false
+ },
+ repo_name: {
+ type: 'string', required: false
+ },
+ vm_uuid: {
+ type: 'string', required: false
+ },
+ send_notification_email: {
+ type: 'boolean', required: false, default: false
+ },
}
end
- def find_objects_for_index
- if (action_name == "index") and (not @read_users.any? { |u| u.is_admin })
- # Non-admin index returns very basic information about all active users.
- # We ignore where and filters params to avoid leaking information.
- @where = {}
- @filters = []
- @select = ["uuid", "is_active", "email", "first_name", "last_name"]
- @objects = model_class.where(is_active: true)
+ def apply_filters
+ return super if @read_users.any? &:is_admin
+ if params[:uuid] != current_user.andand.uuid
+ # Non-admin index/show returns very basic information about readable users.
+ safe_attrs = ["uuid", "is_active", "email", "first_name", "last_name"]
+ if @select
+ @select = @select & safe_attrs
+ else
+ @select = safe_attrs
+ end
+ @filters += [['is_active', '=', true]]
end
super
end
projects / arvados.git / blobdiff