System-End/hackatime
1
0
Fork 0
mirror of https://github.com/System-End/hackatime.git synced 2026-04-20 00:35:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

block admins from impersonating other admins

Browse source
This commit is contained in:
Echo 2025-07-02 00:23:08 -04:00
parent b5966cbb50
commit e46b9353bb
No known key found for this signature in database
2 changed files with 11 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/sessions_controller.rb
View file

@ -174,8 +174,14 @@ class SessionsController < ApplicationController
return
end
session[:impersonater_user_id] ||= current_user.id
user = User.find(params[:id])
if user.admin? && !current_user.superadmin?
redirect_to root_path, alert: "nice try, you cant do that"
return
end
session[:impersonater_user_id] ||= current_user.id
session[:user_id] = user.id
redirect_to root_path, notice: "Impersonating #{user.username}"
end

6
app/views/shared/_user_mention.html.erb
View file

@ -28,8 +28,10 @@
<% end %>
<% unless current_user == user %>
<% admin_tool('', 'span') do %>
<%= link_to impersonate_user_path(user), class: "text-primary font-bold hover:text-red-300 transition-colors duration-200", data: { turbo_frame: "_top", turbo_prefetch: "false" } do %>
🥸
<% if !user.admin? || current_user.superadmin? %>
<%= link_to impersonate_user_path(user), class: "text-primary font-bold hover:text-red-300 transition-colors duration-200", data: { turbo_frame: "_top", turbo_prefetch: "false" } do %>
🥸
<% end %>
<% end %>
<% end %>
<% end %>