refs #16982 - remove User.current deassignment (no such user)
Allows the scope change to be reverted, as User.current is no longer set to `nil` (there is no 'admin' user).
This was relying on a bug in Ruby on Rails 4.2 where the `unscoped` call filtered through thread variables into Subnet.subnet_for which calls Subnet.all. This is fixed in 5.0, so the user must be set correctly.
Related issues
Bug #16982: CVE-2016-7078 - User with no organizations or locations can see all resources
Added by Dominic Cleal about 7 years ago
refs #16982 - remove User.current deassignment (no such user)
Allows the scope change to be reverted, as User.current is no longer set
to `nil` (there is no 'admin' user).
This was relying on a bug in Ruby on Rails 4.2 where the `unscoped` call
filtered through thread variables into Subnet.subnet_for which calls
Subnet.all. This is fixed in 5.0, so the user must be set correctly.