FIX: can grant titles to regular users. Guardian initializer needs current_user, not the target user.

2025-05-30 15:28:37 +08:00 · 2013-12-10 12:46:35 -05:00
parent b0e6475b07
commit 561961eff6
3 changed files with 15 additions and 12 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -44,7 +44,7 @@ class UsersController < ApplicationController
    user = fetch_user_from_params
    guardian.ensure_can_edit!(user)
    json_result(user, serializer: UserSerializer) do |u|
-      updater = UserUpdater.new(user)
+      updater = UserUpdater.new(current_user, user)
      updater.update(params)
    end
  end