Revision af9edf10
Added by Marek Hulán about 7 years ago
app/models/concerns/taxonomix.rb | ||
---|---|---|
if self == User
|
||
# In the case of users we want the taxonomy scope to get both the users
|
||
# of the taxonomy, admins, and the current user.
|
||
ids.concat(admin_ids)
|
||
ids.concat(admin_ids) if User.current.present? && User.current.admin?
|
||
ids << User.current.id if User.current.present?
|
||
end
|
||
|
Also available in: Unified diff
Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users