DirectUploadsController only accepts confirmed users

This commit is contained in:
Eric Schultz 2021-01-06 16:08:46 -06:00 committed by Eric Schultz
parent 10c991be89
commit d68b68fb70
2 changed files with 14 additions and 6 deletions

View file

@ -39,11 +39,15 @@ module Controllers::User::Authorization
QueryRoles.user_has_role?(current_user.id, role_names, host_id) QueryRoles.user_has_role?(current_user.id, role_names, host_id)
end end
def authenticate_confirmed_user! def authenticate_confirmed_user!(msg=nil, type= :html)
if !current_user if !current_user
reject_with_sign_in reject_with_sign_in(msg, type)
elsif !current_user.confirmed? && !current_role?(%i[super_associate super_admin]) elsif !current_user.confirmed? && !current_role?(%i[super_associate super_admin])
if type == :html
redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' } redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
else
render json: {message:msg}, status: :unauthorized
end
end end
end end

View file

@ -1,10 +1,14 @@
# frozen_string_literal: true # frozen_string_literal: true
# # License: AGPL-3.0-or-later WITH WTO-AP-3.0-or-later
# Full license explanation at https://github.com/houdiniproject/houdini/blob/master/LICENSE
class DirectUploadsController < ActiveStorage::DirectUploadsController class DirectUploadsController < ActiveStorage::DirectUploadsController
include Controllers::Nonprofit::Authorization include Controllers::Nonprofit::Authorization
skip_before_action :verify_authenticity_token, only: [:create] skip_before_action :verify_authenticity_token, only: [:create]
before_action do before_action :authenticate_user_with_json!
authenticate_user!("You must be logged in to use this", :json)
private
def authenticate_confirmed_user_with_json!
authenticate_confirmed_user!("You must be logged in to use this", :json)
end end
end end