only the user themselves can regenerate their token

gate-sso · Dec 16, 2018 · 4ceccc3 · 4ceccc3
1 parent 730fe53
commit 4ceccc3
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 21 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -92,15 +92,23 @@ def search
   # GET /users/:id/regenerate_token
   def regenerate_token
     @user = User.find(params[:id])
-    @access_token = @user.access_token
-    @access_token.token = ROTP::Base32.random_base32
-    respond_to do |format|
-      if @access_token.save
-        format.html { redirect_to user_path(@user.id), notice: 'Token regenerated.', flash: {token: @access_token.token} }
-        format.json { render :show, status: :ok, location: @user }
-      else
-        format.html { redirect_to user_path(@user.id), notice: 'Token failed to regenerate.' }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
+
+    if (current_user.admin? or (current_user.id == @user.id))
+      @access_token = @user.access_token
+      @access_token.token = ROTP::Base32.random_base32
+      respond_to do |format|
+        if @access_token.save
+          format.html { redirect_to user_path(@user.id), notice: 'Token regenerated.', flash: {token: @access_token.token} }
+          format.json { render :show, status: :ok, location: @user }
+        else
+          format.html { redirect_to user_path(@user.id), notice: 'Token failed to regenerate.' }
+          format.json { render json: @user.errors, status: :unprocessable_entity }
+        end
+      end
+    else
+      respond_to do |format|
+        format.html { redirect_to user_path(@user.id), notice: 'You cannot regenerate this token.' }
+        format.json { render json: @user.errors, status: :unauthorized }
       end
     end
   end

diff --git a/app/views/users/show.html.slim b/app/views/users/show.html.slim
@@ -16,18 +16,19 @@
              span.input-group-text @
           input#email.form-control placeholder="[email protected]" readonly="" type="email" value="#{@user.email}"
 
-  form.needs-validation novalidate="" 
-    .form-row.mb-3
-      .col
-        b Your Access Token
-      .col
-        - if flash[:token]
-          .alert.alert-warning role="alert"
-            | Important! please make note of this token, you will see it only this once.
-          pre
-            = flash[:token]
-        - else
-          = link_to 'Regenerate Token', regenerate_token_user_path(@user), :data => {:confirm => 'Are you sure?'}
+  - if (current_user.admin? or (current_user.id == @user.id))
+    form.needs-validation novalidate="" 
+      .form-row.mb-3
+        .col
+          b Your Access Token
+        .col
+          - if flash[:token]
+            .alert.alert-warning role="alert"
+              | Important! please make note of this token, you will see it only this once.
+            pre
+              = flash[:token]
+          - else
+            = link_to 'Regenerate Token', regenerate_token_user_path(@user), :data => {:confirm => 'Are you sure?'}
 
   - if current_user.admin?
     .card