def permission_to_update
return false unless current_user
+ return true if current_user.is_admin
if self.owner_changed? and
self.owner_was != current_user.uuid and
0 == Link.where(link_class: 'permission',
name: 'can_pillage',
tail_uuid: self.owner,
head_uuid: current_user.uuid).count
+ logger.warn "User #{current_user.uuid} tried to change owner of #{self.class.to_s} #{self.uuid} to #{self.owner}"
return false
end
self.owner == current_user.uuid or
protected
def prevent_privilege_escalation
- if self.is_admin_changed?
+ if self.is_admin_changed? and !current_user.is_admin
if current_user.uuid == self.uuid
if self.is_admin != self.is_admin_was
+ logger.warn "User #{self.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin}"
self.is_admin = self.is_admin_was
end
end