Move verification to abilities

author: Felipe Artur <felipefac@gmail.com> 2016-03-29 12:24:42 -0300
committer: Felipe Artur <felipefac@gmail.com> 2016-04-18 11:12:27 -0300
commit: 57519565f167cb771ffed504feefe7b0eb37c027 (patch)
tree: 07d6d44f9b9995b4f7c47513ed0f4bb61acdd725 /app/controllers/users_controller.rb
parent: b05f0a48584ea45cc89a8efaafd8e54642b8497c (diff)
download: gitlab-ce-57519565f167cb771ffed504feefe7b0eb37c027.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 49ddcfed7b1..69b66e161cf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,7 +1,8 @@
 class UsersController < ApplicationController
   skip_before_action :authenticate_user!
-  before_action :set_user
-  before_filter :authorize_read_user, only: [:show]
+  #TO-DO Remove this "set_user" before action. It is not good to use before filters for loading database records.
+  before_action :set_user, except: [:show]
+  before_action :authorize_read_user, only: [:show]
 
   def show
     respond_to do |format|
@@ -76,7 +77,8 @@ class UsersController < ApplicationController
 
   private
   def authorize_read_user
-    render_404 unless @user.public?
+    set_user
+    render_404 unless can?(current_user, :read_user, @user)
   end
 
   def set_user
author	Felipe Artur <felipefac@gmail.com>	2016-03-29 12:24:42 -0300
committer	Felipe Artur <felipefac@gmail.com>	2016-04-18 11:12:27 -0300
commit	57519565f167cb771ffed504feefe7b0eb37c027 (patch)
tree	07d6d44f9b9995b4f7c47513ed0f4bb61acdd725 /app/controllers/users_controller.rb
parent	b05f0a48584ea45cc89a8efaafd8e54642b8497c (diff)
download	gitlab-ce-57519565f167cb771ffed504feefe7b0eb37c027.tar.gz