Require admin role for API family reset (#1189)

Prevent non-admin users with read_write API access from triggering family-wide reset jobs via /api/v1/users/reset.
2026-04-17 11:04:14 +00:00 · 2026-03-13 08:07:30 +01:00
parent 80026aeee4
commit 3adc011df0
2 changed files with 26 additions and 0 deletions
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -2,6 +2,7 @@

 class Api::V1::UsersController < Api::V1::BaseController
  before_action :ensure_write_scope
+  before_action :ensure_admin, only: :reset

  def reset
    FamilyResetJob.perform_later(Current.family)
@@ -24,4 +25,11 @@ class Api::V1::UsersController < Api::V1::BaseController
    def ensure_write_scope
      authorize_scope!(:write)
    end
+
+    def ensure_admin
+      return true if current_resource_owner&.admin?
+
+      render_json({ error: "forbidden", message: I18n.t("users.reset.unauthorized") }, status: :forbidden)
+      false
+    end
 end