Revision bd622a22
Added by Dominic Cleal about 8 years ago
| app/controllers/api/v1/users_controller.rb | ||
|---|---|---|
|
private
|
||
|
|
||
|
def find_resource
|
||
|
editing_self? ? @user = User.current : super
|
||
|
editing_self? ? @user = User.find(User.current.id) : super
|
||
|
end
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
refs #14691 - user editing self should not change User.current
Rather than changing the behaviour of #to_label to return persisted
data, the User.current object should not be modified with unsaved data
from the form submission or API update.
User.current is used for authz as well as for display purposes, so
shouldn't be changed. Parameter filtering protects privilege escalation
in this case.