Oops, fix bug for authorizing the NeoPass disconnect endpoint

Ahh right, in development `User` and `AuthUser` will have the same ID,
but that got messed up early on for us in production DTI 😅

Here, we switch the form to reference the `User` instead of the
`AuthUser` (to get the ID right), then we also change how we compare
the IDs, because `User#to_param` appends extra text onto the ID after
the number!
This commit is contained in:
Emi Matchu 2024-04-07 08:11:22 -07:00
parent 66978bf5a0
commit 89fc99c918
2 changed files with 2 additions and 2 deletions

View file

@ -23,7 +23,7 @@ class NeopassConnectionsController < ApplicationController
# the provided user ID matches. The user ID param is only really for REST
# semantics and such!
raise AccessDenied unless user_signed_in?
raise AccessDenied unless current_user.id.to_s == params[:user_id]
raise AccessDenied unless current_user.id == params[:user_id].to_i
current_user
end
end

View file

@ -53,7 +53,7 @@
<% end %>
<% if resource.neopass? %>
<%= form_with url: user_neopass_connection_path(resource), method: :delete,
<%= form_with url: user_neopass_connection_path(resource.user), method: :delete,
class: "settings-form", data: {
turbo_confirm: "Are you sure? Without a NeoPass, you'll need to use " +
"your password or your recovery email \"#{resource.email}\" to " +