fix: user without allow_contact get 403 forbidden when accessing api/member/self_id

2025-02-19 13:54:25 +01:00 · 2015-10-07 16:30:38 +02:00 · 2015-10-07 16:30:38 +02:00 · 097d4d81dc
commit 097d4d81dc
parent e8037beaca
1 changed files with 1 additions and 1 deletions
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@ -10,7 +10,7 @@ class UserPolicy < ApplicationPolicy
  end

  def show?
-    user.is_admin? or (record.is_allow_contact and record.has_role?(:member))
+    user.is_admin? or (record.is_allow_contact and record.has_role?(:member)) or (user.id == record.id)
  end

  def create?