Oops, fix bug for authorizing the NeoPass disconnect endpoint
Ahh right, in development `User` and `AuthUser` will have the same ID,
but that got messed up early on for us in production DTI 😅
Here, we switch the form to reference the `User` instead of the
`AuthUser` (to get the ID right), then we also change how we compare
the IDs, because `User#to_param` appends extra text onto the ID after
the number!
This commit is contained in:
parent
66978bf5a0
commit
89fc99c918
2 changed files with 2 additions and 2 deletions
|
@ -23,7 +23,7 @@ class NeopassConnectionsController < ApplicationController
|
||||||
# the provided user ID matches. The user ID param is only really for REST
|
# the provided user ID matches. The user ID param is only really for REST
|
||||||
# semantics and such!
|
# semantics and such!
|
||||||
raise AccessDenied unless user_signed_in?
|
raise AccessDenied unless user_signed_in?
|
||||||
raise AccessDenied unless current_user.id.to_s == params[:user_id]
|
raise AccessDenied unless current_user.id == params[:user_id].to_i
|
||||||
current_user
|
current_user
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
||||||
<% if resource.neopass? %>
|
<% if resource.neopass? %>
|
||||||
<%= form_with url: user_neopass_connection_path(resource), method: :delete,
|
<%= form_with url: user_neopass_connection_path(resource.user), method: :delete,
|
||||||
class: "settings-form", data: {
|
class: "settings-form", data: {
|
||||||
turbo_confirm: "Are you sure? Without a NeoPass, you'll need to use " +
|
turbo_confirm: "Are you sure? Without a NeoPass, you'll need to use " +
|
||||||
"your password or your recovery email \"#{resource.email}\" to " +
|
"your password or your recovery email \"#{resource.email}\" to " +
|
||||||
|
|
Loading…
Reference in a new issue