mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
3adc011df0
Prevent non-admin users with read_write API access from triggering family-wide reset jobs via /api/v1/users/reset.
36 lines
895 B
Ruby
36 lines
895 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Api::V1::UsersController < Api::V1::BaseController
|
|
before_action :ensure_write_scope
|
|
before_action :ensure_admin, only: :reset
|
|
|
|
def reset
|
|
FamilyResetJob.perform_later(Current.family)
|
|
render json: { message: "Account reset has been initiated" }
|
|
end
|
|
|
|
def destroy
|
|
user = current_resource_owner
|
|
|
|
if user.deactivate
|
|
Current.session&.destroy
|
|
render json: { message: "Account has been deleted" }
|
|
else
|
|
render json: { error: "Failed to delete account", details: user.errors.full_messages }, status: :unprocessable_entity
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def ensure_write_scope
|
|
authorize_scope!(:write)
|
|
end
|
|
|
|
def ensure_admin
|
|
return true if current_resource_owner&.admin?
|
|
|
|
render_json({ error: "forbidden", message: I18n.t("users.reset.unauthorized") }, status: :forbidden)
|
|
false
|
|
end
|
|
end
|