From 89fc99c91830bd1b8ff15e3fa5e27b796c727106 Mon Sep 17 00:00:00 2001 From: Emi Matchu Date: Sun, 7 Apr 2024 08:11:22 -0700 Subject: [PATCH] Oops, fix bug for authorizing the NeoPass disconnect endpoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ahh right, in development `User` and `AuthUser` will have the same ID, but that got messed up early on for us in production DTI 😅 Here, we switch the form to reference the `User` instead of the `AuthUser` (to get the ID right), then we also change how we compare the IDs, because `User#to_param` appends extra text onto the ID after the number! --- app/controllers/neopass_connections_controller.rb | 2 +- app/views/devise/registrations/edit.html.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/neopass_connections_controller.rb b/app/controllers/neopass_connections_controller.rb index 050d755f..0baa7e0c 100644 --- a/app/controllers/neopass_connections_controller.rb +++ b/app/controllers/neopass_connections_controller.rb @@ -23,7 +23,7 @@ class NeopassConnectionsController < ApplicationController # the provided user ID matches. The user ID param is only really for REST # semantics and such! raise AccessDenied unless user_signed_in? - raise AccessDenied unless current_user.id.to_s == params[:user_id] + raise AccessDenied unless current_user.id == params[:user_id].to_i current_user end end diff --git a/app/views/devise/registrations/edit.html.erb b/app/views/devise/registrations/edit.html.erb index 790296aa..4c9ba44f 100644 --- a/app/views/devise/registrations/edit.html.erb +++ b/app/views/devise/registrations/edit.html.erb @@ -53,7 +53,7 @@ <% end %> <% if resource.neopass? %> - <%= form_with url: user_neopass_connection_path(resource), method: :delete, + <%= form_with url: user_neopass_connection_path(resource.user), method: :delete, class: "settings-form", data: { turbo_confirm: "Are you sure? Without a NeoPass, you'll need to use " + "your password or your recovery email \"#{resource.email}\" to " +