DirectUploadsController only accepts confirmed users

2021-01-06 16:08:46 -06:00 · 2021-01-06 16:08:46 -06:00 · d68b68fb70
commit d68b68fb70
parent 10c991be89
2 changed files with 14 additions and 6 deletions
--- a/app/controllers/concerns/controllers/user/authorization.rb
+++ b/app/controllers/concerns/controllers/user/authorization.rb
@ -39,11 +39,15 @@ module Controllers::User::Authorization
      QueryRoles.user_has_role?(current_user.id, role_names, host_id)
    end

-    def authenticate_confirmed_user!
+    def authenticate_confirmed_user!(msg=nil, type= :html)
      if !current_user
-        reject_with_sign_in
+        reject_with_sign_in(msg, type)
      elsif !current_user.confirmed? && !current_role?(%i[super_associate super_admin])
-        redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
+        if type == :html
+          redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
+        else
+          render json: {message:msg}, status: :unauthorized
+        end
      end
    end
  
--- a/app/controllers/direct_uploads_controller.rb
+++ b/app/controllers/direct_uploads_controller.rb
@ -1,10 +1,14 @@
 # frozen_string_literal: true

-#
+# License: AGPL-3.0-or-later WITH WTO-AP-3.0-or-later
+# Full license explanation at https://github.com/houdiniproject/houdini/blob/master/LICENSE
 class DirectUploadsController < ActiveStorage::DirectUploadsController
 	include Controllers::Nonprofit::Authorization
 	skip_before_action :verify_authenticity_token, only: [:create]
-	before_action  do
-		authenticate_user!("You must be logged in to use this", :json)
+	before_action  :authenticate_user_with_json!
+
+private
+	def authenticate_confirmed_user_with_json!
+		authenticate_confirmed_user!("You must be logged in to use this", :json)
 	end
 end